Neutrino Exploit Kit via EITEST gate 85.93.0.43 Delivers CryptXXX Ransomware

NOTES:

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-08-Neutrino-EK-pcap.zip

 

2016-07-08 ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.43 – niiugr.ml – EITEST GATE
  • 74.208.162.191 – adferebaturquesterblichkeitsziffern.tdsk.uk – Neutrino EK LANDING PAGE
  • 91.220.131.147 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://2dzmdacevbadfjvu.onion.to
http://2dzmdacevbadfjvu.onion.city

 

Shown above: Injected script found on compromised site redirecting to the EITEST gate on 2016-07-08

 

Shown above: Traffic  associated with Neutrino exploit and CryptXXX ransomware infection

 

2016-07-07 ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.43 – jikloss.tk – EITEST GATE
  • 74.208.162.198 – tuntemisesta-unchildlike.highrisefire.uk – Neutrino EK LANDING PAGE
  • 91.220.131.147 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://2dzmdacevbadfjvu.onion.to
http://2dzmdacevbadfjvu.onion.city

 

Shown above: Traffic  associated with Neutrino exploit and CryptXXX ransomware infection

 

Shown above: Cryptxxx Windows desktop background image  ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: