Neutrino Exploit Kit via EITEST 85.93.0.12 send CryptXXX Ransomware


NOTES:

  • Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the EITEST campaign.
  • The EITEST campaign is now using a new gate, IP address 85.93.0.12 to redirect to the Neutrino Exploit Kit (EK) landing page.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-19-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.12 – sopxx.xyz – EITEST GATE
  • 74.63.195.115 – accusabletrescher.langleytennis.com – Neutrino EK LANDING PAGE
  • 188.0.236.9 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC


ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://5bjte3wc7vn7wkrv.onion.to
http://5bjte3wc7vn7wkrv.onion.cab
http://5bjte3wc7vn7wkrv.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with Neutrino exploit and CryptXXX ransomware infection

 

Shown above: Injected script found on compromised site leading to EITEST redirect gate

 

Shown above: Script on EITEST gate redirecting to the Neutrino EK landing page

 

Shown above: Packet 220 shows Neutrino exploit flash and packet 633 shows download of malicious payload

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions @README.HTML

 

Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions !README.BMP

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: