184.106.55.84 – busbycabinets.com – Compromised Site
188.165.197.194 – apulaisista.scrubs101webstore.com – Neutrino EK
46.165.246.9 – SSL/HTTPS callback traffic – Contains Ransom Note
Hashes:
SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7
File name: Neutrino EK Landing Page.html
SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a
File name: Neutrino EK Flash Exploit.swf
SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d
File name: rad432F6.tmp.dll
Traffic:
The Infection Chain:
The infection chain starts off with the compromised website containing the simple pseudoDarkleech iframe tag:
The iframe redirects the host the Neutrino EK landing page which contains instructions for the Flash exploit:
Above in the landing page you can see the URI for the Flash exploit.
Below is the GET for that Flash exploit:
Following the Flash exploit is the usual Neutrino EK GET for an additional .html file:
Opening the .html file shows only a “1”.
Lastly we see the GET request for the CryptMIC payload:
The payload and some other CryptMIC files are dropped in %TEMP% folder:
Ransom notes are dropped in numerous locations once the system has been compromised:
Filenames aren’t encrypted or obfuscated and they aren’t appended with anything new. The easiest way to tell if a file is encrypted is to open it and look.
We can also see the post-infection traffic going over TCP port 443. However, the traffic isn’t being encrypted as the ransom notes are being sent in the clear.
I would recommend blocking both the EK IP and the callback IP at your perimeter firewall (see IOCs at the top).
Malware breakdown 