pseudoDarkleech Leads to Neutrino EK at Which Drops CryptMIC Ransomware

IOCs: – – Compromised Site – – Neutrino EK –  CryptMIC post-infection traffic over TCP port 443

SHA256: 44ea0ce673f1c5cd0637a2212d2b9370e9cffc8487ce96209c8fae3236461170
File name: Neutrino EK Landing Page.html

SHA256: 373c2de51a57012eb0b9f212caff5442b6107e35040f13ff2dd180d74d54b335
File name: Neutrino EK SWF Exploit.swf

SHA256: 49c845bf2371b515b71787464e7225a76bbb3724b92bc9a80fad843eba6d9b69
File name: radE41AE.tmp.dll

This is another typical pseudo-Darkleech to Neutrino EK infection chain. Below we can see the pseudo-Darkleech code injected in the compromised site. The tag contains the URL for the Neutrino EK landing page:

The landing page shows the URI for the Flash exploit:

Here is the GET for the SWF exploit:

Followed by the usual GET for an empty HTML:

The last request to the EK is for the CryptMIC payload:

Some CryptMIC files are found in %APPDATA%:

Once the machine is infected there are ransom notes dropped on the Desktop and in numerous folders.

Here is a look at the post-infection traffic, however, the server appears to be unresponsive:

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: