pseudoDarkleech Leads to Neutrino EK at 74.208.192.10 Which Drops CryptMIC Ransomware

IOCs:

216.58.216.99 – moanavoyage.org – Compromised Site
74.208.192.10 – biodynaaminen.pahiremidlands.co.uk – Neutrino EK
85.14.243.9 –  CryptMIC post-infection traffic over TCP port 443

Hashes:
SHA256: 44ea0ce673f1c5cd0637a2212d2b9370e9cffc8487ce96209c8fae3236461170
File name: Neutrino EK Landing Page.html

SHA256: 373c2de51a57012eb0b9f212caff5442b6107e35040f13ff2dd180d74d54b335
File name: Neutrino EK SWF Exploit.swf

SHA256: 49c845bf2371b515b71787464e7225a76bbb3724b92bc9a80fad843eba6d9b69
File name: radE41AE.tmp.dll

This is another typical pseudo-Darkleech to Neutrino EK infection chain. Below we can see the pseudo-Darkleech code injected in the compromised site. The tag contains the URL for the Neutrino EK landing page:

The landing page shows the URI for the Flash exploit:

Here is the GET for the SWF exploit:

Followed by the usual GET for an empty HTML:

The last request to the EK is for the CryptMIC payload:

Some CryptMIC files are found in %APPDATA%:

Once the machine is infected there are ransom notes dropped on the Desktop and in numerous folders.

Here is a look at the post-infection traffic, however, the server appears to be unresponsive:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: