2016-09-22 - AFRAIDGATE NEUTRINO EK FROM 78.46.167.130 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-09-22-Afraidgate-Neutrino-EK-sends-Locky.pcap.zip   298.4 kB (298,423 bytes)

• 2016-09-22-Afraidgate-Neutrino-EK-sends-Locky.pcap   (320,474 bytes)

• ZIP archive of the malware:  2016-09-22-Afraidgate-Neutrino-EK-malware-and-artifacts.zip   286.3 kB (286,299 bytes)

• 2016-09-22-Afraidgate-Locky-decrypt-instructions.bmp   (4,149,158 bytes)
• 2016-09-22-Afraidgate-Locky-decrypt-instructions.html   (9,215 bytes)
• 2016-09-22-Afraidgate-Neutrino-EK-flash-exploit.swf   (76,251 bytes)
• 2016-09-22-Afraidgate-Neutrino-EK-landing-page.txt   (2,362 bytes)
• 2016-09-22-Afraidgate-Neutrino-EK-payload-Locky-downloader.exe   (48,128 bytes)
• 2016-09-22-Locky-ransomware.exe   (174,080 bytes)
• 2016-09-22-king.bisneshotspot.com-blog.js.txt   (216 bytes)

NOTES:

• Recent developments on the Afraidgate campaign can be found here.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from compromised site pointing to the Afraidgate URL.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 46.101.93.53 port 80 - king.bisneshotspot.com - GET /blog.js - Afraidgate redirect
• 78.46.167.130 port 80 - ujthdv.grandlinda.top - Neutrino EK
• 104.36.83.52 port 80 - mintridemo.com - Domain the Locky downloader retrieved Locky from
• 94.242.57.152 port 80 - 94.242.57.152 - POST /data/info.php - Locky post-infection traffic

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• f5xraa2y2ybtrefz.tor2web.org
• f5xraa2y2ybtrefz.onion.to

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  ff3889a991e7ddea35b67db40a186a1b5c99113cacfbc4e3bcce20bbfccce37f
  File name:  2016-09-22-Afraidgate-Neutrino-EK-flash-exploit.swf

PAYLOAD (LOCKY DOWNLOADER):

• SHA256 hash:  22829e8f2b4f628c1a2711867669e4112e237025ba09a86299b839420903d7fc
  File name:  2016-09-22-Afraidgate-Neutrino-EK-payload-Locky-downloader.exe

FOLLOW-UP MALWARE (LOCKY):

• SHA256 hash:  433787c491e8b3534c1b477615f619fcdb1dc4881d305b5941ea965de945d5cc
  File name:  2016-09-22-Locky-ransomware.exe

 

IMAGES

Shown above:  Desktop of the infected Windows host.

 

Shown above:  Checking the decryption instructions link using a Tor browser.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-09-22-Afraidgate-Neutrino-EK-sends-Locky.pcap.zip   298.4 kB (298,423 bytes)
• ZIP archive of the malware:  2016-09-22-Afraidgate-Neutrino-EK-malware-and-artifacts.zip   286.3 kB (286,299 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.