Neutrino Exploit Kit via pseudoDarkleech delivers CrypMic Ransomware

NOTES:

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-31-Neutrino-EK-pcaps.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES COMPROMISED SITE 1:

  • 74.208.199.172 – overexci-morphogenic.car-air-conditioning.org.uk – Neutrino EK
  • 193.111.140.100 Port 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS AND IP ADDRESSES COMPROMISED SITE 2:

  • 74.208.234.41 – insultadorrgb12955.ametwist.com – Neutrino EK
  • 193.111.140.100 Port 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS AND IP ADDRESSES COMPROMISED SITE 3:

  • 74.208.234.51 – aviatricehyllytyksen.tvbedsdirect.co.uk – Neutrino EK
  • 193.111.140.100 Port 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection for compromised site 1

 

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection for compromised site 2

 

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection for compromised site 3

 

Shown above: DNS Shadowing explained in sucuri.net blog post

 

Shown above: Injected iframe found on index page of compromised site 2

 

Shown above: Injected iframe found on index page of compromised site 3

 

Shown above: Partial content of packet 174 from compromised site 3 shows Neutrino exploiting flash

 

Shown above: Start of CrypMic .HTML ransom note and De-Crypt instructions README.HTML

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: