Malware-Traffic-Analysis.net - 2016-07-18 - pseudoDarkleech Neutrino EK from 85.93.93[.]163 sends CryptXXX ransomware

2016-07-18 - PSEUDODARKLEECH NEUTRINO EK FROM 85.93.93[.]163 SENDS CRYPTXXX RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-07-18-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware.pcap.zip 1.2 MB (1,162,563 bytes)

2016-07-18-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware.pcap (1,231,691 bytes)

2016-07-18-pseudoDarkleech-Neutrino-EK-and-CryptXXX-ransomware-files.zip 488.2 kB (488,211 bytes)

2016-07-18-CryptXXX-ransomware-decrypt-instructions.BMP (5,242,934 bytes)

2016-07-18-CryptXXX-ransomware-decrypt-instructions.HTML (20,962 bytes)

2016-07-18-page-from-riverhotel-vp_com-with-injected-script.txt (16,099 bytes)

2016-07-18-pseudoDarkleech-Neutrino-EK-flash-exploit.swf (87,333 bytes)

2016-07-18-pseudoDarkleech-Neutrino-EK-landing-page.txt (3,813 bytes)

2016-07-18-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware.dll (367,104 bytes)

NOTES:

2016-03-31 - Palo Alto Networks Unit 42 blog: How the EITest Campaign's Path to Angler EK Evolved Over Time.
2016-06-08 - SANS ISC diary: Neutrino EK and CryptXXX (campaigns using Angler EK switch to Neutrino EK)
2016-06-11 - Malware Don't Need Coffee: Is it the end of Angler?
2016-07-14 - Proofpoint Blog: Spam, Now With a Side of CryptXXX Ransomware!
From Proofpoint: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."
I've posted both versions of CryptXXX ransomware since 2016-07-06. The CryptXXX ransomware in today's post is, I believe, from the original branch.

Shown above: Flowchart for today's infection traffic.

TRAFFIC

Shown above: Injected script in page from compromised website.

Shown above: Traffic from the pcap filtered in Wireshark. Filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002))

ASSOCIATED DOMAINS:

riverhotel-vp[.]com - Compromised website
85.93.93[.]163 port 80 - infanticidiorenuntiatum.colinsinclairmcdermott[.]com - Neutrino EK
188.0.236[.]9 port 443 - CryptXXX ransomware post-infection traffic (custom encoded, not SSL)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

lkpe6tr2yuk4f246[.]onion[.]to
lkpe6tr2yuk4f246[.]onion[.]cab
lkpe6tr2yuk4f246[.]onion[.]city

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: b6ce4e40799212290b9c2cd68000d667347dd85f47b6554b4ba492f26a8fa843
File name: 2016-07-18-pseudoDarkleech-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: 0f0a2b5680b11dd20bc4d52604907586eb22b9056dfac84bfb4918ee4f790512
File name: 2016-07-18-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware.dll

IMAGES

Shown above: The CryptXXX .dll file loaded during the infection.

Shown above: The infected Windows host after rebooting.

Click here to return to the main page.