Neutrino Exploit Kit via EITEST sends updated CryptXXX Ransomware

NOTES:

  • Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the EITEST campaign.
  • Some changes noted to this version of CryptXXX were, it renames the file and extensions to random alpha numeric numbers and is using a new command and control (C2) host.
  • For a more detailed analysis of the EITEST and CryptXXX traffic, see my post Neutrino Exploit Kit via EITEST 85.93.0.43 sends CryptXXX Ransomware.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-08-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.43 – bionne.tk – EITEST GATE
  • 69.162.116.164 – dunwoody.southwest-furniture.co.uk – Neutrino EK LANDING PAGE
  • 188.0.236.9 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC


ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://i5tbhsq567bemcgp.onion.to
http://i5tbhsq567bemcgp.onion.cab
http://i5tbhsq567bemcgp.onion.city

 

IMAGES AND DETAILS:

Shown above: HTTP traffic  associated with Neutrino exploit and CryptXXX ransomware

 

Shown above: CryptXXX post infection traffic communicating with the new C2 host

 

Shown above: Naming convention associated with latest CryptoXXX ransomware

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions !README.HTML

 

Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions !README.BMP

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: