Neutrino Exploit Kit via EITEST Campaign sends CryptXXX Ransomware

NOTES:

  • Below is traffic related to a site compromised by the EITEST campaign using the Neutrino Exploit Kit to send CryptXXX
  • I ran this site late Friday on July 21st 2016 and noticed CryptXXX was using IP address 85.14.243.9 as second command and control (C2) – Germany, AS24961 myLoc managed IT AG. Since, I have not seen the return of this C2.
  • I also ran this site on July 24th 2016 and the EITEST campaign again used the Neutrino Exploit Kit to send CryptXXX absent of the second C2.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-24-Neutrino-EK-pcap.zip

 

 

ASSOCIATED DOMAINS AND IP ADDRESSES 2016-07-21:

  • 85.93.0.12 – yvatahil.xyz – EITEST GATE
  • 74.208.185.222 – sikyttneet.intoaddedtime.org.uk – Neutrino EK
  • 188.0.236.9 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
  • 85.14.243.9 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
    (Germany, AS24961 myLoc managed IT AG)


ASSOCIATED DOMAINS AND IP ADDRESSES 2016-07-24:

  • 85.93.0.12 – hadohope.xyz – EITEST GATE
  • 64.150.186.165 – kansallisvaltion.ukmicrosuction.com- Neutrino EK
  • 188.0.236.9 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC


ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://5bjte3wc7vn7wkrv.onion.to
http://5bjte3wc7vn7wkrv.onion.cab
http://5bjte3wc7vn7wkrv.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with Neutrino exploit and CryptXXX ransomware infection 2016-07-21

 

Shown above: Traffic  associated with Neutrino exploit and CryptXXX ransomware infection 2016-07-24

 

Shown above: Post infection traffic communicating with C2 – 85.14.243.9

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions @README.HTML

 

Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions @README.BMP

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: