Neutrino Exploit Kit via EITEST Gate sends Cryptxxx

ASSOCIATED DOMAINS:

  • 85.93.0.72 – EITEST GATE
  • 45.32.183.118 – xomyezriq.d2ahave.top – Neutrino LANDING PAGE
  • 45.32.183.118 – wtsgrws.d2ahave.top – Neutrino LANDING PAGE
  • 188.0.236.7 – Cryptxxx POST INFECTION CHECK-IN C2

 

IMAGES and DETAILS:

Shown above: Well known EITEST gate using the .ml Top level domain (TLD) and Neutrino EK using the .top  (TLD)

 

Shown above: Script on EITEST Gate redirecting to Neutrino Exploit Kit

 

Shown above: Packet 185 shows Neutrino EK exploiting flash and packet 435 shows malicious payload via “application/octet-stream”

 

Shown above: Packet 185 shows Neutrino exploiting flash version 21,0,0,213    [1f6a]

 

Shown above: Contents of packet 435 downloading encrypted malicious payload

 

Shown above: Cryptxxx check-in to Command and Control (C2) via port 443

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: