72.10.49.22 – ionedds.com – Compromised Site
74.208.192.13 – arkisempaa-mycobutin.smoothbadger.uk – Neutrino EK
85.14.243.9 – Post-infection CryptMIC callback traffic over TCP port 443
Hashes:
SHA256: c2e931c5b81ecc0cb617f7e9ebf20e7626f2dee496e6f0e1e65bc19eb42a365c
File name: Neutrino EK Landing Page
SHA256: 0a42e068479e729d295a0d5e9505d7e291c201d557e315f5327e009455ea81df
File name: Neutrino EK SWF Exploit
SHA256: ca7a59c4a6106e1f74f7519250c19e1bf48ea0aeed2cdf22b0a4715f0a858b81
File name: rad7318C.tmp.dll – Payload in %APPDATA%
The infection chain starts with a compromised site containing a pseudo-Darkleech script in an tag:
The iframe redirects the host to the Neutrino EK landing page:
The landing page contains the URI for the SWF exploit.
Below is the GET for SWF exploit:
Once the SWF exploit is dropped on the system we see a GET for an empty file followed by a GET for a CryptMIC payload:
After the payload is dropped and executed there is post-infection callback to an unresponsive server (no return traffic):
We can see the payload within the %APPDATA% directory along with some other CryptMIC files:
Here are some images of the different ransom notes being dropped on the Desktop as well as an image of what an encrypted file looks like:
Malware breakdown 