Neutrino EK from 104.238.185.187 sends DMA Locker 4.0


UPDATE: [2016-05-23]
No post infection traffic upon reboot of infected computer.
No encryption of Sample Pictures. I could guess this would give a known good file to compare to an encrypted file to assist in attempts to find decryption keys.

NOTES:
It appears that the Neutrino Exploit Kit is using private internet addresses to host its landing page. Choopa, LLC is associated with private internet access. It is also possible that they are associated with other internet access so I have tentatively identified it with private internet access. Please feel free to contact me if you feel you can provide further information.

There is also more artifacts from this infection chain. When I have more time I will update the post.

ASSOCIATED DOMAINS:

  • 85.93.0.81 – okahen.tk – EITEST GATE
  • 104.238.185.187 – http://ttzxxjkhvs.ipsideu.top – GET /long/trail-17445990.swf – Neutrino LANDING PAGE
  • 80.87.205.115 – GET /2/x64.exe – DMA LOCKER DOWNLOAD
  • 80.87.205.115 – GET /2/bbv.exe – DMA LOCKER DOWNLOAD
  • 5.8.63.54 – GET /crypto/gate? – DMA LOCKER C2 Check-In

IMAGES and DETAILS:

Shown above: Neutrino Exploit Kit landing page on Choopa, LLC IP address

 

Shown above: AS Record of Neutrino Exploit Kit Landing Page

 

Shown above: DMA Locker 4.0 ransomware downloads

 

Shown above: DMA Locker 4.0 ransomware check-in to Command and Control

 

Shown above: Packet 6192 and 6459 shows EITEST GATE and packet 6608 shows Neutrino exploiting flash version 19.0.0.245

 

Shown above: DMA Locker 4.0 ransom note

 

ASSOCIATED FILES FROM NEUTRINO EXPLOIT: