Neutrino EK from 185.58.227.227 sends Cerber Ransomware

UPDATED:

  • I was unable to recover the Cerber ransomware payload. According to malwarebytes.com “In order to prevent user from finding the malicious file by its creation timestamp it is changed to the timestamp of kernel32.dll existing on the local system.”
  • Detailed information about the Neutrino Exploit Kit can be found at malware-traffic-analysis.net
  • Detailed information about Cerber ransomware can be found at blog.malwarebytes.com
  • Detailed information about Cerber ransomware can be found at bleepingcomputer.com

ASSOCIATED DOMAINS:

  • 185.58.227.227 – nepzcig.uadrab.top/ – GET /forest/ – Neutrino LANDING PAGE
  • 52.2.241.169 – ipinfo.io – GET /json – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site and Neutrino landing page

 

Shown above: Index page from compromised site with injected iframe redirecting to Neutrino landing page

 

Shown above: Packet 1173 shows Neutrino exploit and packet 1612 shows Cerber payload as an application/octet-stream

 

Show above: Packet 1612 delivered as application/octet-stream encrypted

 

Shown above: Meta data from Neutrino flash exploit

 

Shown above: Random post infection udp traffic

 

Shown above: Cerber ransom note and decrypt information

 

Shown above: Files encrypted with the . cerber file extension

 

Shown above: Cerber start-up location in windows registry

 

PAYLOAD FROM NEUTRINO EK:

  • # DECRYPT MY FILES #.html
  • # DECRYPT MY FILES #.txt
  • # DECRYPT MY FILES #.vbs
  • 2016-05-02-Neutrino-EK.swf
    Virus Total Link