Malware-Traffic-Analysis.net - 2016-06-30

2016-06-30 - NEUTRINO EK DATA DUMP

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

Background on the Afraidgate campaign is located here.
Background on the EITest campaign can be found here.
Background on the pseudoDarkleech campaign is available here.

ASSOCIATED FILES:

2016-06-30-Neutrino-EK-data-dump-9-pcaps.zip 7.7 MB (7,666,729 bytes)

2016-06-30-Afraidgate-Neutrino-EK-sends-Locky-ransomware-after-marketingguerilla_es.pcap (389,569 bytes)

2016-06-30-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-4county_org.pcap (1,181,650 bytes)

2016-06-30-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-cliniqueh_dk.pcap (1,350,829 bytes)

2016-06-30-EITest-Neutrino-EK-sends-CryptXXX-ransomware-after-pekabex_pl.pcap (1,269,719 bytes)

2016-06-30-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-after-alphamedical02_fr.pcap (1,291,478 bytes)

2016-06-30-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-after-chromechurch_com.pcap (1,173,364 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-after-austinbioidenticaldoctor_com.pcap (940,549 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-sends-Gootkit-after-lostreschiles_com.pcap (383,704 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-sends-Gootkit-after-tne_mx.pcap (311,536 bytes)

2016-06-30-Neutrino-EK-data-dump-malware-and-artifacts.zip 3.0 MB (2,986,118 bytes)

2016-06-30-Afraidgate-Neutrino-EK-flash-exploit-after-marketingguerilla_es.swf (87,898 bytes)

2016-06-30-Afraidgate-Neutrino-EK-landing-page-after-marketingguerilla_es.txt (1,169 bytes)

2016-06-30-Afraidgate-Neutrino-EK-payload-Locky-ransomware-after-marketingguerilla_es.exe (240,130 bytes)

2016-06-30-Afraidgate-redirect-from-live.keeprunning_com_br-js-node.js.txt (276 bytes)

2016-06-30-EITest-CryptXXX-ransomware-decrypt-instructions.bmp (3,686,454 bytes)

2016-06-30-EITest-CryptXXX-ransomware-decrypt-instructions.html (36,201 bytes)

2016-06-30-EITest-CryptXXX-ransomware-decrypt-instructions.txt (1,755 bytes)

2016-06-30-EITest-Neutrino-EK-flash-exploit-after-4county_org.swf (88,348 bytes)

2016-06-30-EITest-Neutrino-EK-flash-exploit-after-cliniqueh_dk.swf (88,348 bytes)

2016-06-30-EITest-Neutrino-EK-flash-exploit-after-pekabex_pl.swf (88,194 bytes)

2016-06-30-EITest-Neutrino-EK-landing-page-after-4county_org.txt (1,175 bytes)

2016-06-30-EITest-Neutrino-EK-landing-page-after-cliniqueh_dk.txt (1,191 bytes)

2016-06-30-EITest-Neutrino-EK-landing-page-after-pekabex_pl.txt (1,171 bytes)

2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-ransomware-after-4county_org.dll (504,832 bytes)

2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-ransomware-after-cliniqueh_dk.dll (464,384 bytes)

2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-ransomware-after-pekabex_pl.dll (469,504 bytes)

2016-06-30-EITest-flash-redirect-from-fryex_tk.swf (3,371 bytes)

2016-06-30-EITest-flash-redirect-from-lokffd_tk.swf (3,371 bytes)

2016-06-30-EITest-flash-redirect-from-uucilo_ml.swf (3,371 bytes)

2016-06-30-page-from-4county_org-with-injected-EITest-script.txt (66,057 bytes)

2016-06-30-page-from-alphamedical02_fr-with-injected-script-pointing-to-Neutrino-EK.txt (22,495 bytes)

2016-06-30-page-from-chromechurch_com-with-injected-script-pointing-to-Neutrino-EK.txt (7,762 bytes)

2016-06-30-page-from-cliniqueh_dk-with-injected-EITest-script.txt (20,522 bytes)

2016-06-30-page-from-lostreschiles_com-with-injected-script-pointing-to-realstatistics-gate.txt (8,737 bytes)

2016-06-30-page-from-marketingguerilla_es-with-injected-script-pointing-to-Afraidgate-domain.txt (19,742 bytes)

2016-06-30-page-from-pekabex_pl-with-injected-EITest-script.txt (44,707 bytes)

2016-06-30-page-from-tne_mx-with-injected-script-pointing-to-realstatistics-gate.txt (7,378 bytes)

2016-06-30-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.bmp (3,686,454 bytes)

2016-06-30-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.html (36,201 bytes)

2016-06-30-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.txt (1,755 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-alphamedical02_fr.swf (88,194 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-austinbioidenticaldoctor_com.swf (88,194 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-landing-page-after-alphamedical02_fr.txt (1,181 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-landing-page-after-austinbioidenticaldoctor_com.txt (1,153 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-landing-page-after-chromechurch_com.txt (1,241 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-alphamedical02_fr.dll (486,912 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-austinbioidenticaldoctor_com.dll (507,392 bytes)

2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-chromechurch_com.dll (466,432 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-lostreschiles_com.swf (89,109 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-tne_mx.swf (83,743 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-landing-page-after-lostreschiles_com.txt (1,141 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-landing-page-after-tne_mx.txt (1,012 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-lostreschiles_com.exe (249,856 bytes)

2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-tne_mx.exe (192,512 bytes)

TRAFFIC

ASSOCIATED DOMAINS:

85.25.95[.]39 port 80 - realstatistics[.]info - "realstatistics" gate
85.93.0[.]43 port 80 - fryex[.]tk - EITest gate
85.93.0[.]43 port 80 - lokffd[.]tk - EITest gate
85.93.0[.]43 port 80 - uucilo[.]ml - EITest gate
139.59.191[.]79 port 80 - live.keeprunning[.]com[.]br - GET /js/node.js - Afraidgate redirect

5.2.72[.]17 port 80 - bdhvbntu.uwxdpb[.]xyz - realstatistics gate Neutrino EK
78.46.167[.]130 port 80 - iavevp.uvukzf[.]xyz - realstatistics gate Neutrino EK
78.46.167[.]130 port 80 - pcricdl.snhmht[.]xyz - Afraidgate Neutrino EK
85.25.107[.]188 port 80 - 1fissure.dinsystems[.]co[.]uk - pseudoDarkleech Neutrino EK
184.154.136[.]86 port 80 - bacillisirtisanoutuminen.doctorbargain[.]co[.]uk - EITest Neutrino EK
184.154.136[.]86 port 80 - geschaeftsjahre.doctorbargain[.]co[.]uk - EITest & pseudoDarkleech Neutrino EK
184.154.136[.]86 port 80 - lensvogsulphamino.databasewebeditor[.]co[.]uk - EITest & pseudoDarkleech Neutrino EK

5.196.70[.]240 port 80 - dcjtojmwdrpjs[.]ru - POST /upload/_dispatch.php - Locky ransomware callback after Afraidgate Neutrino EK
185.49.68[.]215 port 443 - CryptXXX ransomware callback traffic

FILE HASHES

FLASH EXPLOITS/EITEST FLASH REDIRECTS:

SHA256 hash: 4b0ef5ca48210a94a988fb5c75062c15af9d8bd1895908bbd602dd8448663c28
File name: 2016-06-30-Afraidgate-Neutrino-EK-flash-exploit-after-marketingguerilla_es.swf

SHA256 hash: 3d86f621f27c775bab9e6339be97f0373d6881c02d739fcff26e60861ff94abc
File name: 2016-06-30-EITest-Neutrino-EK-flash-exploit-after-4county_org.swf

SHA256 hash: a5cb4bf2678ead8d755befa08393095369381c2cda2f1eca4c20c51f3e5747ca
File name: 2016-06-30-EITest-Neutrino-EK-flash-exploit-after-cliniqueh_dk.swf

SHA256 hash: 43188c6f6e873194175d689618ac54301648d0205738ea3cb0c8fa0a684db59b
File name: 2016-06-30-EITest-Neutrino-EK-flash-exploit-after-pekabex_pl.swf

SHA256 hash: a1fee34de22442f9b4533b32ab35487924ad8d4e132ec0af4fdd2e0ef2b50c8a
File name: 2016-06-30-EITest-flash-redirect-from-fryex_tk.swf
File name: 2016-06-30-EITest-flash-redirect-from-lokffd_tk.swf
File name: 2016-06-30-EITest-flash-redirect-from-uucilo_ml.swf

SHA256 hash: 7a29e6c4be435a72aebd794d08dd071fffe6eef16ef938973d15cddaec9b4763
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-alphamedical02_fr.swf

SHA256 hash: 45832482297b435918f16759d8e799998ad9942d35525281a109a13e58bafce4
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-flash-exploit-after-austinbioidenticaldoctor_com.swf

SHA256 hash: 43e9ec641a58b3914d4531d86be026f4ef166d71a8752c2da5054258710e004e
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-lostreschiles_com.swf

SHA256 hash: dceccc3bd9b399ddc7e69824b71d21289e6147b89ee2f271ce9e615e354b2688
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-flash-exploit-after-tne_mx.swf

MALWARE PAYLOADS:

SHA256 hash: ddf25ecfc1cf5125af121e53a7619183d24c1beefdb9fd19ab3eebf3b86361dd
File name: 2016-06-30-Afraidgate-Neutrino-EK-payload-Locky-ransomware-after-marketingguerilla_es.exe

SHA256 hash: 0c389f603c66c2ef4ac1979dda03ec84f2ca5072ff5448fe2354e10eb460e389
File name: 2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-ransomware-after-4county_org.dll

SHA256 hash: 3f18c7aa7080e5c0fe0e5d37f62078a80957f0ec68c36cbcfe19b23127ad0f75
File name: 2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-ransomware-after-cliniqueh_dk.dll

SHA256 hash: 249cc9c0e5c44831734ccd27aec0ce19289ae12d0a13bff6d188ff2039d8feab
File name: 2016-06-30-EITest-Neutrino-EK-payload-CryptXXX-ransomware-after-pekabex_pl.dll

SHA256 hash: 5b57056fb8df8de170aa01f4e60c5b3252c60919dcb70ba61ad165100812ec48
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-alphamedical02_fr.dll

SHA256 hash: 48d992f01c65c1fc1e773c7ef377fb7d531e1d606244b30d2f3a31e4f48cb38e
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-austinbioidenticaldoctor_com.dll

SHA256 hash: 6f998cdd809f791e3b5aebee47395014e354f8bf7a7a26ec26f8df71eb05c06f
File name: 2016-06-30-psuedoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-after-chromechurch_com.dll

SHA256 hash: 3bf9cb765560ec70afff424cc606d51adff8158b63145c22eeddbb47e14fd7fb
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-lostreschiles_com.exe

SHA256 hash: bdd58de2133eeb13d09180feaf3f678140c2e386006a178e1f76517097eb3444
File name: 2016-06-30-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-tne_mx.exe

IMAGES

Click here to return to the main page.