Neutrino Exploit Kit via pseudoDarkleech delivers CrypMic Ransomware

NOTES:

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-02-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 74.208.234.2 – vekselstrmsgenerator.omargarson.uk – Neutrino EK
  • 193.111.140.100 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection

 

Shown above: Injected iframe found on index page of compromised site

 

Shown above: Partial content of packet 146 from compromised site shows Neutrino exploiting outdated flash version 16,0,0,235

 

Shown above: Partial packet content of CrypMic sending .HTML ransom note in clear text over SSL port 443

 

Shown above: Windows desktop background image and ransom notes post infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

2016-08-02-Neutrino-EK.swf
Virus Total Link
2016-08-02-rad7C12C.tmp.dll
Virus Total Link