I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 18.104.22.168 – juioo.ml – EITEST GATE
- 22.214.171.124 – bacillisirtisanoutuminen.doctorbargain.co.uk – Neutrino EK LANDING PAGE
- 126.96.36.199 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
DETAILS OF INFECTION CHAIN:
Shown above: HTTP traffic associated with Neutrino exploit and CryptXXX ransomware
Shown above: Injected script found on compromised site which redirects to the EITEST gate via a flash file.
Shown above: Script on EITEST gate redirecting to the Neutrino EK landing page
Shown above: Packet 215 shows Neutrino exploiting flash and packet 721 shows malicious payload delivered as an application/octet-stream
Shown above: Partial contents of packet 215 shows Neutrino exploiting flash
Shown above: Partial contents of malicious payload from packet 721
Shown above: CryptXXX post infection communication with the command and control host transmitting its data over port 443 in clear text
Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: