2016-07-06 - FILES FOR AN ISC DIARY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-07-06-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware.pcap.zip   332.1 kB (332,079 bytes)

• 2016-07-06-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware.pcap   (531,107 bytes)

• 22016-07-06-pseudoDarkleech-Neutrino-EK-and-CrypMIC-ransomware-files.zip   191.3 kB (191,309 bytes)

• 2016-07-06-CrypMIC-ransomware-decrypt-instructions.BMP   (3,276,854 bytes)
• 2016-07-06-CrypMIC-ransomware-decrypt-instructions.HTML   (238,187 bytes)
• 2016-07-06-CrypMIC-ransomware-decrypt-instructions.TXT   (1,654 bytes)
• 2016-07-06-pseudoDarkleech-Neutrino-EK-landing-page.txt   (3,151 bytes)
• 2016-07-06-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware.dll   (252,928 bytes)

 

NOTES:

• The associated ISC diary is here.
• Had an issue with packet loss in the pcap, and I wasn't able to retrieve the Flash exploit.

 

FOLLOW-UP NOTES:

• Since publishing the ISC diary, TrendLabs analyzed this new branch of CryptXXX and named it "CrypMIC".  I've updated this page to reflect the new information.

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

FILE HASHES:

• SHA256 hash:  272eb6ff1aaa98dc3e36b35a0a9bd10ce8e79344cbf2c33104a4d470be8a9eac
File name:  2016-07-06-Neutrino-EK-payload-CrypMIC-ransomware.dll

 

Click here to return to the main page.