Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- More information about the latest pseudoDarkleech campaign can be found in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
126.96.36.199 – serafino-monocarbonate.givingtuesday.org.uk – Neutrino EK
188.8.131.52 Port 443 – CryptXXX CnC Check-in
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EK: