Neutrino Exploit Kit, EITEST from 74.208.155.64 delivers CryptXXX Ransomware

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.43 – dod0.tk – EITEST GATE
  • 74.208.155.64 – schildhouder.dbcb.uk – Neutrino EK LANDING PAGE
  • 185.49.68.215 – CryptXXX Command and Control C2

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-21-Neutrino-EK-pcap.zip

 

DETAILS OF INFECTION CHAIN:

Shown above: Compromised site and associated domains leading to CryptXXX ransomware

 

Shown above: Injected script found on compromised site associated with the EITEST campaign redirecting to the EITEST gate

 

Shown above: Referer from compromised site and script from EITEST gate redirecting to Neutrino Exploit Kit (EK) landing page

 

Shown above: Neutrino EK landing page

 

Shown above: Packet 250 shows Neutrino exploit flash and packet 570 shows delivery of malicious payload leading to CryptXXX ransomware infection

 

Shown above: Partial contents of Neutrino exploiting flash

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: