Neutrino Exploit Kit via EITEST sends updated CryptXXX Ransomware
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the EITEST campaign.
- Some changes noted to this version of CryptXXX were, it renames the file and extensions to random alpha numeric numbers and is using a new command and control (C2) host.
- For a more detailed analysis of the EITEST and CryptXXX traffic, see my post Neutrino Exploit Kit via EITEST 184.108.40.206 sends CryptXXX Ransomware.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 220.127.116.11 – bionne.tk – EITEST GATE
- 18.104.22.168 – dunwoody.southwest-furniture.co.uk – Neutrino EK LANDING PAGE
- 22.214.171.124 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
IMAGES AND DETAILS:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: