Neutrino Exploit Kit via EITEST 85.93.0.43 sends CryptXXX Ransomware

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-30-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.43 – juioo.ml – EITEST GATE
  • 184.154.136.86 – bacillisirtisanoutuminen.doctorbargain.co.uk – Neutrino EK LANDING PAGE
  • 185.49.68.215 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

 

DETAILS OF INFECTION CHAIN:

Shown above: HTTP traffic  associated with Neutrino exploit and CryptXXX ransomware

 

Shown above: Injected script found on compromised site which redirects to the EITEST gate via a flash file.

 

Shown above: Script on EITEST gate redirecting to the Neutrino EK landing page

 

Shown above: Packet 215 shows Neutrino exploiting flash and packet 721 shows malicious payload delivered as an application/octet-stream

 

Shown above: Partial contents of packet 215 shows Neutrino exploiting flash

 

Shown above: Partial contents of malicious payload from packet 721

 

Shown above: CryptXXX post infection communication with the command and control host transmitting its data over port 443 in clear text

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: