Neutrino Exploit Kit via EITEST gate 85.93.0.43 Delivers CryptXXX Ransomware
NOTES:
- Below is traffic I captured from a site compromised by the EITEST campaign. I ran the compromised site twice generating the below infection chains.
- For more details on the process of breaking down the infection chain, see my post Neutrino Exploit Kit via EITEST 85.93.0.43 sends CryptXXX Ransomware
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-07-08-Neutrino-EK-pcap.zip
2016-07-08 ASSOCIATED DOMAINS AND IP ADDRESSES:
- 85.93.0.43 – niiugr.ml – EITEST GATE
- 74.208.162.191 – adferebaturquesterblichkeitsziffern.tdsk.uk – Neutrino EK LANDING PAGE
- 91.220.131.147 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
http://2dzmdacevbadfjvu.onion.to
http://2dzmdacevbadfjvu.onion.city
Shown above: Injected script found on compromised site redirecting to the EITEST gate on 2016-07-08
Shown above: Traffic associated with Neutrino exploit and CryptXXX ransomware infection
2016-07-07 ASSOCIATED DOMAINS AND IP ADDRESSES:
- 85.93.0.43 – jikloss.tk – EITEST GATE
- 74.208.162.198 – tuntemisesta-unchildlike.highrisefire.uk – Neutrino EK LANDING PAGE
- 91.220.131.147 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
http://2dzmdacevbadfjvu.onion.to
http://2dzmdacevbadfjvu.onion.city
Shown above: Traffic associated with Neutrino exploit and CryptXXX ransomware infection
Shown above: Cryptxxx Windows desktop background image ransom note and De-Crypt instructions
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:
- 2016-07-08-Neutrino-EK.swf
Virus Total Link - 2016-07-08-radFC268.tmp.dll
Virus Total Link - 2016-07-07-Neutrino-EK.swf
Virus Total Link - 2016-07-07-rad873BA.tmp.dll
Virus Total Link