Neutrino Exploit Kit from EITEST Gate 85.93.0.43 sends CryptXXX Ransomware

Jun 23, 2016 by Analysis in EITEST

ASSOCIATED DOMAINS AND IP ADDRESSES:

85.93.0.43 – milez.tk – EITEST GATE
108.163.224.94 – umfragefsymfunny.bettercarlighting.com – Neutrino EK LANDING PAGE
185.49.68.215 – CryptXXX Command and Control [C2]

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-23-Neutrino-EK-pcap.zip

DETAILS OF INFECTION CHAIN:

Shown above: Compromised site and associated domains leading to CryptXXX ransomware

Shown above: Using Wiresharks Follow TCP Stream filter on compromised site – Injected script found on compromised site associated with the EITEST campaign redirecting to the EITEST gate

Shown above: Using Wiresharks Follow TCP Stream filter on EITEST gate shows redirect script to Neutrino landing page

Shown above: Using Wiresharks Follow TCP Stream filter on Neutrino landing page shows Neutrino exploiting flash

Shown above: Using Wiresharks Follow TCP Stream filter on Neutrino landing page shows malicious payload delivery via an application/octet-stream. Shown is the partial encrypted payload. If this was a true application/octet-stream the first two characters would have been “MZ” unless using HTTP compression.

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

2016-06-23-Neutrino-EK.swf
Virus Total Link
2016-06-23-radEE18D.tmp.dll [CryptXXX]
Virus Total Link

Tagged with: Albany NY, Malware Research, Ransomware