Neutrino Exploit Kit via pseudoDarkleech delivers CrypMic Ransomware



NOTES:

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-04-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.25.107.121 – walbornvertakkings.traceyconcrete.co.uk – Neutrino EK
  • 193.111.140.100 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with Neutrino exploit and CrypMIC ransomware infection

 

Shown above: Suspicious script found on compromised site. A similar script was found on another compromised site on August 2nd, 2016 [HERE]

 

Shown above: Injected iframe script found on index page of compromised site

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

2016-08-04-Neutrino-EK.swf
Virus Total Link
2016-08-04-rad38E0B.tmp.dll
Virus Total Link