2016-07-11 - EK DATA DUMP (MAGNITUDE EK, NEUTRINO EK)

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-11-EK-dump-all-3-pcaps.zip   2.1 MB (2,087,494 bytes)

• 2016-07-11-Afraidgate-Neutrino-EK-sends-CryptXXX.pcap   (1,104,777 bytes)
• 2016-07-11-Magnitude-EK-sends-Cerber.pcap   (991,030 bytes)
• 2016-07-11-Neutrino-EK-sends-Gootkit.pcap   (426,467 bytes)

• ZIP archive of the malware:  2016-07-11-EK-dump-malware-and-artifacts.zip   908.8 kB (908,785 bytes)

• 2016-07-11-Afraidgate-CryptXXX-decrypt-instructions.BMP   (3,686,454 bytes)
• 2016-07-11-Afraidgate-CryptXXX-decrypt-instructions.HTML   (18,215 bytes)
• 2016-07-11-Afraidgate-Neutrino-EK-flash-exploit.swf   (82,369 bytes)
• 2016-07-11-Afraidgate-Neutrino-EK-landing-page.txt   (2,076 bytes)
• 2016-07-11-Afraidgate-Neutrino-EK-payload-CryptXXX.dll   (483,328 bytes)
• 2016-07-11-Cerber-decryption-instructions.html   (12,414 bytes)
• 2016-07-11-Cerber-decryption-instructions.txt   (10,522 bytes)
• 2016-07-11-Cerber-decryption-instructions.vbs   (234 bytes)
• 2016-07-11-Magnitude-EK-flash-exploit.swf   (58,686 bytes)
• 2016-07-11-Magnitude-EK-flash-redirect.swf   (720 bytes)
• 2016-07-11-Magnitude-EK-landing-page.txt   (706 bytes)
• 2016-07-11-Magnitude-EK-more-html.txt   (22,901 bytes)
• 2016-07-11-Magnitude-EK-payload-Cerber.exe   (293,656 bytes)
• 2016-07-11-other-Neutrino-EK-flash-exploit.swf   (84,243 bytes)
• 2016-07-11-other-Neutrino-EK-landing-page.txt   (2,100 bytes)
• 2016-07-11-other-Neutrino-EK-payload-Gootkit.exe   (198,144 bytes)

NOTES:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated
• 2016-07-07 - Bleeping Computer:  New CryptXXX changes name to Microsoft Decryptor
• 2016-07-08 - Malware-traffic-analysis.net:  CryptXXX updated again, now looking more like it did before previous change, also changes back to "UltraDeCrypter".

• Tipped off on today's Magnitude EK activity by a tweet from @malekal_morte which can be found here.
• Other Neutrino EK activity also found due to a tweet from @malekal_morte available here.
• Background on the Afraidgate campaign (now using Neutrino EK instead of Angler) is available here.

 

TRAFFIC

Shown above:  Traffic from the first pcap filtered in Wireshark (Magnitude EK sends Cerber ransomware).

Shown above:  Traffic from the second pcap filtered in Wireshark (other Neutrino EK sends Gootkit).

Shown above:  Traffic from the third pcap filtered in Wireshark (Afraidgate Neutrino EK sends CryptXXX ransomware).

 

ASSOCIATED DOMAINS:

• 185.143.240.178 port 80 - game250frees.org - Compromised domain
• 185.143.240.177 port 80 - tryfairly.vip - profiling gate
• 188.165.173.118 port 80 - f60d0p506s204.toopened.gdn - Magnitude EK
• 188.165.173.118 port 80 - 188.165.173.118 - Magnitude EK
• ipinfo.io - IP address check by the malware
• 38.141.234.0 through 38.141.235.255 (38.141.234.0/23) - UDP scan over port 6892

• 107.155.99.143 port 80 - 107.155.99.143 - GET /indexii.php - Gate to Neutrino EK
• 5.2.72.171 port 80 - xirxywgoe.lautumnwhite.top - Neutrino EK
• 5.1.80.127 port 80 - sautecauda.com - SSL traffic over port 80 (Gootkit callback)

• 188.166.38.125 port 80 - today.seguroslosmedanos.com.ve - GET /scripts/widgets.js - Gate to Neutrino EK
• 85.25.79.115 port 80 - vastaustensaberc.thebathstation.co.uk - Neutrino EK
• 188.0.236.9 port 443 - CryptXXX post-infection traffic (custom encoded, not SSL)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• pmenboeqhyrpvomq.132z80.top - domain from today's Cerber sample
• pmenboeqhyrpvomq.bigfooters.loan - domain from today's Cerber sample
• pmenboeqhyrpvomq.marksgain.kim - domain from today's Cerber sample
• pmenboeqhyrpvomq.swissprogramms.bid - domain from today's Cerber sample
• pmenboeqhyrpvomq.onion.to - domain from today's Cerber sample

• wxaga5ybn5wjcn3x.onion.to - domain from today's Afraidgate CryptXXX sample
• wxaga5ybn5wjcn3x.onion.cab - domain from today's Afraidgate CryptXXX sample
• wxaga5ybn5wjcn3x.onion.city - domain from today's Afraidgate CryptXXX sample

 

FILE HASHES

FLASH REDIRECTS/EXPLOITS:

• SHA256 hash:  9ecd17a4c0f55aeae2e5cad9bf22fb860327ded04cb025132ce566748604c07d
  File name:  2016-07-11-Magnitude-EK-flash-redirect.swf

• SHA256 hash:  f16b6835cab9b2157e950bd38075359c0083e57627aa5af67523801137443de8
  File name:  2016-07-11-Magnitude-EK-flash-exploit.swf

• SHA256 hash:  af82f425c7337a87c6a6d08b05b1f45a7e6e660aa74f83fbca9a04977d5ee269
  File name:  2016-07-11-other-Neutrino-EK-flash-exploit.swf

• SHA256 hash:  40d2db7d522c5822107b450e633baab5608b143bc69e9a38a87773b51ae95c24
  File name:  2016-07-11-Afraidgate-Neutrino-EK-flash-exploit.swf

PAYLOADS:

• SHA256 hash:  649f06c85b1b9a6ed1d257c21a103e6aa09480706719d86bfb10436654a0b517
  File name:  2016-07-11-Magnitude-EK-payload-Cerber.exe

• SHA256 hash:  d8e05ac76e4723a859a2834372c23714c030d4ce3e39a47511db7fdb7f8b79d4
  File name:  2016-07-11-other-Neutrino-EK-payload-Gootkit.exe

• SHA256 hash:  d3b1de1efb431e7c7b31f11e1809be97da471054e3b275aaadb6df118b42cab5
  File name:  2016-07-11-Afraidgate-Neutrino-EK-payload-CryptXXX.dll

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-11-EK-dump-all-3-pcaps.zip   2.1 MB (2,087,494 bytes)
• ZIP archive of the malware:  2016-07-11-EK-dump-malware-and-artifacts.zip   908.8 kB (908,785 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.