Neutrino Exploit Kit via pseudoDarkleech sends CryptXXX Ransomware


NOTES:

  • Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
  • More information about the latest pseudoDarkleech campaign can be found in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-16-Neutrino-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 74.208.148.13 – antimalthusiansternmost.metaldehyde.co.uk – Neutrino EK
  • 188.0.236.9 Port 443 – CryptXXX CnC Check-in

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

lkpe6tr2yuk4f246.onion.to
lkpe6tr2yuk4f246.onion.cab
lkpe6tr2yuk4f246.onion.city

 

DETAILS OF INFECTION CHAIN:

Shown above: IP addresses and Domains associated with today’s CryptXXX Ransomware infection

 

Shown above: Injected script found on compromised site redirecting to Neutrino Exploit Kit landing page

 

Shown above: Using Wiresharks File => Export Objects => HTTP shows Neutrino exploiting flash in packet 145 and the delivery of the malicious payload in packet 759

 

Shown above: Packet 145 shows partial contents of Neutrino exploiting outdated version of flash

 

Shown above: CryptXXX communication with the Command and Control (CnC) host via port 443 in clear text

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions @README.HTML

 

Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions @README.BMP

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EK:

  • 2016-07-16-Neutrino-EK.swf
    Hybrid-Analysis.com
  • 2016-07-16-rad05B58.tmp.dll
    Hybrid-Analysis.com