Neutrino Exploit Kit via EITEST sends updated CryptXXX Ransomware
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the EITEST campaign.
- Some changes noted to this version of CryptXXX were, it renames the file and extensions to random alpha numeric numbers and is using a new command and control (C2) host.
- For a more detailed analysis of the EITEST and CryptXXX traffic, see my post Neutrino Exploit Kit via EITEST 18.104.22.168 sends CryptXXX Ransomware.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 22.214.171.124 – bionne.tk – EITEST GATE
- 126.96.36.199 – dunwoody.southwest-furniture.co.uk – Neutrino EK LANDING PAGE
- 188.8.131.52 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
IMAGES AND DETAILS:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: