2016-07-11 - EK DATA DUMP (MAGNITUDE EK, NEUTRINO EK)
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-07-11-EK-dump-all-3-pcaps.zip 2.1 MB (2,087,494 bytes)
- 2016-07-11-Afraidgate-Neutrino-EK-sends-CryptXXX.pcap (1,104,777 bytes)
- 2016-07-11-Magnitude-EK-sends-Cerber.pcap (991,030 bytes)
- 2016-07-11-Neutrino-EK-sends-Gootkit.pcap (426,467 bytes)
- ZIP archive of the malware: 2016-07-11-EK-dump-malware-and-artifacts.zip 908.8 kB (908,785 bytes)
- 2016-07-11-Afraidgate-CryptXXX-decrypt-instructions.BMP (3,686,454 bytes)
- 2016-07-11-Afraidgate-CryptXXX-decrypt-instructions.HTML (18,215 bytes)
- 2016-07-11-Afraidgate-Neutrino-EK-flash-exploit.swf (82,369 bytes)
- 2016-07-11-Afraidgate-Neutrino-EK-landing-page.txt (2,076 bytes)
- 2016-07-11-Afraidgate-Neutrino-EK-payload-CryptXXX.dll (483,328 bytes)
- 2016-07-11-Cerber-decryption-instructions.html (12,414 bytes)
- 2016-07-11-Cerber-decryption-instructions.txt (10,522 bytes)
- 2016-07-11-Cerber-decryption-instructions.vbs (234 bytes)
- 2016-07-11-Magnitude-EK-flash-exploit.swf (58,686 bytes)
- 2016-07-11-Magnitude-EK-flash-redirect.swf (720 bytes)
- 2016-07-11-Magnitude-EK-landing-page.txt (706 bytes)
- 2016-07-11-Magnitude-EK-more-html.txt (22,901 bytes)
- 2016-07-11-Magnitude-EK-payload-Cerber.exe (293,656 bytes)
- 2016-07-11-other-Neutrino-EK-flash-exploit.swf (84,243 bytes)
- 2016-07-11-other-Neutrino-EK-landing-page.txt (2,100 bytes)
- 2016-07-11-other-Neutrino-EK-payload-Gootkit.exe (198,144 bytes)
NOTES:
- 2016-07-06 - SANS ISC diary: CryptXXX ransomware updated
- 2016-07-07 - Bleeping Computer: New CryptXXX changes name to Microsoft Decryptor
- 2016-07-08 - Malware-traffic-analysis.net: CryptXXX updated again, now looking more like it did before previous change, also changes back to "UltraDeCrypter".
- Tipped off on today's Magnitude EK activity by a tweet from @malekal_morte which can be found here.
- Other Neutrino EK activity also found due to a tweet from @malekal_morte available here.
- Background on the Afraidgate campaign (now using Neutrino EK instead of Angler) is available here.
TRAFFIC
Shown above: Traffic from the first pcap filtered in Wireshark (Magnitude EK sends Cerber ransomware).
Shown above: Traffic from the second pcap filtered in Wireshark (other Neutrino EK sends Gootkit).
Shown above: Traffic from the third pcap filtered in Wireshark (Afraidgate Neutrino EK sends CryptXXX ransomware).
ASSOCIATED DOMAINS:
- 185.143.240.178 port 80 - game250frees.org - Compromised domain
- 185.143.240.177 port 80 - tryfairly.vip - profiling gate
- 188.165.173.118 port 80 - f60d0p506s204.toopened.gdn - Magnitude EK
- 188.165.173.118 port 80 - 188.165.173.118 - Magnitude EK
- ipinfo.io - IP address check by the malware
- 38.141.234.0 through 38.141.235.255 (38.141.234.0/23) - UDP scan over port 6892
- 107.155.99.143 port 80 - 107.155.99.143 - GET /indexii.php - Gate to Neutrino EK
- 5.2.72.171 port 80 - xirxywgoe.lautumnwhite.top - Neutrino EK
- 5.1.80.127 port 80 - sautecauda.com - SSL traffic over port 80 (Gootkit callback)
- 188.166.38.125 port 80 - today.seguroslosmedanos.com.ve - GET /scripts/widgets.js - Gate to Neutrino EK
- 85.25.79.115 port 80 - vastaustensaberc.thebathstation.co.uk - Neutrino EK
- 188.0.236.9 port 443 - CryptXXX post-infection traffic (custom encoded, not SSL)
DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- pmenboeqhyrpvomq.132z80.top - domain from today's Cerber sample
- pmenboeqhyrpvomq.bigfooters.loan - domain from today's Cerber sample
- pmenboeqhyrpvomq.marksgain.kim - domain from today's Cerber sample
- pmenboeqhyrpvomq.swissprogramms.bid - domain from today's Cerber sample
- pmenboeqhyrpvomq.onion.to - domain from today's Cerber sample
- wxaga5ybn5wjcn3x.onion.to - domain from today's Afraidgate CryptXXX sample
- wxaga5ybn5wjcn3x.onion.cab - domain from today's Afraidgate CryptXXX sample
- wxaga5ybn5wjcn3x.onion.city - domain from today's Afraidgate CryptXXX sample
FILE HASHES
FLASH REDIRECTS/EXPLOITS:
- SHA256 hash: 9ecd17a4c0f55aeae2e5cad9bf22fb860327ded04cb025132ce566748604c07d
File name: 2016-07-11-Magnitude-EK-flash-redirect.swf
- SHA256 hash: f16b6835cab9b2157e950bd38075359c0083e57627aa5af67523801137443de8
File name: 2016-07-11-Magnitude-EK-flash-exploit.swf
- SHA256 hash: af82f425c7337a87c6a6d08b05b1f45a7e6e660aa74f83fbca9a04977d5ee269
File name: 2016-07-11-other-Neutrino-EK-flash-exploit.swf
- SHA256 hash: 40d2db7d522c5822107b450e633baab5608b143bc69e9a38a87773b51ae95c24
File name: 2016-07-11-Afraidgate-Neutrino-EK-flash-exploit.swf
PAYLOADS:
- SHA256 hash: 649f06c85b1b9a6ed1d257c21a103e6aa09480706719d86bfb10436654a0b517
File name: 2016-07-11-Magnitude-EK-payload-Cerber.exe
- SHA256 hash: d8e05ac76e4723a859a2834372c23714c030d4ce3e39a47511db7fdb7f8b79d4
File name: 2016-07-11-other-Neutrino-EK-payload-Gootkit.exe
- SHA256 hash: d3b1de1efb431e7c7b31f11e1809be97da471054e3b275aaadb6df118b42cab5
File name: 2016-07-11-Afraidgate-Neutrino-EK-payload-CryptXXX.dll
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-07-11-EK-dump-all-3-pcaps.zip 2.1 MB (2,087,494 bytes)
- ZIP archive of the malware: 2016-07-11-EK-dump-malware-and-artifacts.zip 908.8 kB (908,785 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.