Neutrino Exploit Kit via pseudoDarkleech sends CryptXXX Ransomware
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- More information about the latest pseudoDarkleech campaign can be found in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 188.8.131.52 – antimalthusiansternmost.metaldehyde.co.uk – Neutrino EK
- 184.108.40.206 Port 443 – CryptXXX CnC Check-in
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EK: