Afraidgate Leads to Neutrino EK at and Drops Locky Ransomware

IOCs: – – Compromised Site – – Afraidgate JS – – Neutrino EK

HTTP requests
URL: hxxp://

URL: hxxp://

URL: hxxp://

URL: hxxp://

DNS requests ( (

TCP connections

SHA256: 2bc68530c59c8151fd0e8dece8ac28a8e1a58ac9c4e4ba03b6ebdbc43953641f
File name: Afraidgate malicious JS.js

SHA256: 7b3461cd882c0d487906c68bb7dbef09f4fced867e94584d1d0eae2ee86d28c3
File name: Neutrino EK Landing Page.html

SHA256: 181e6f0e048dad4e7597c10021a74d63b15e28c5e871226c9858a31b51ebf708
File name: Neutrino EK SWF Exploit.swf

SHA256: 409475789697476df4969df8fbaded0f3bf81d6310a109a2c6d97ae8862ee675
File name: radE17A7.tmp.exe

This was another compromised site that I found leading to Neutrino EK at Just like with my previous encounters with Afraidgate the EK delivered a Locky payload.

Below is the injected Afraidgate script and the response from the server:

The script returns a snippet of code containing the iframe that is responsible for redirecting the host to the Neutrino EK landing page.

Below is the Neutrino EK landing page as seen in traffic and the HTML file:

Again, it is the code on the landing page which is responsible for making the GET for the Flash exploit.

Next comes the GET for the HTML file 0 bytes in size and, when viewing the source code, containing a single “1”:

Last but certainly not least comes the Locky payload. There is a .DAT file dropped in the Temp folder, followed by the Locky .exe. Both files delete themselves once the system is infected.

The file description says “Harbor” and the company says “Liberated.” Not sure if that is random or if it’s meant to have some meaning.

For post-infection callback traffic please see the IOCs section at the very top. I would recommend blocking the Neutrino EK IP as well as the post-infection IPs and domains at your perimeter firewall(s).


Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: