Malware-Traffic-Analysis.net - 2015-07-05 - BizCN gate actor using Nuclear EK

2015-07-05 - BIZCN GATE ACTOR USING NUCLEAR EK - TRAFFIC AND MALWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-10-pcaps.zip (8,629,269 bytes)
2015-07-05-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip (1,316,015 bytes)

Individual pcap files within the above traffic archive:

2015-07-03-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap (1,058,928 bytes)

2015-07-03-BizCN-gate-actor-Nuclear-EK-traffic-example-2.pcap (606,443 bytes)

2015-07-03-BizCN-gate-actor-Nuclear-EK-traffic-example-3.pcap (1,030,374 bytes)

2015-07-04-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap (632,325 bytes)

2015-07-04-BizCN-gate-actor-Nuclear-EK-traffic-example-2.pcap (4,949,332 bytes)

2015-07-04-BizCN-gate-actor-Nuclear-EK-traffic-example-3.pcap (1,082,113 bytes)

2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap (626,075 bytes)

2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-2.pcap (1,095,644 bytes)

2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-3.pcap (579,164 bytes)

2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-4.pcap (585,983 bytes)

NOTES:

Above has the traffic & malware for an article I wrote at: https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
The traffic listed below shows the compromised website followed by the BizCN gate, then Nuclear exploit kit (EK).
Nuclear EK traffic from 2015-07-02 through 2015-07-05 used 107.191.63[.]163.

TRAFFIC

2015-07-03 22:33:56 UTC - forums.pinstack[.]com - GET /
2015-07-03 22:33:57 UTC - 136.243.227[.]9 - woodicani[.]pw - GET /q_uRkrI-UXs-VYQP_/zjNmkORiYMGVQ-.js?
qZnczx=_bt5WW3b&_=c3R-d6&Rxil8aUDW=5_dbev&8torYfT=2eS4Qc&hp=185n2&f67g-Ial1=e5_g1_6

2015-07-03 22:34:38 UTC - gastone[.]cf - GET /BEcMTVVLAlMVRQtZABwFVw.html
2015-07-03 22:34:38 UTC - gastone[.]cf - GET /AEoWTQVCD05XTVdLAlMVRQtZABwFVxgFVAFIBEoAVRxXBFdLVAZVBF0BVwpRCRhRCQM
2015-07-03 22:34:39 UTC - gastone[.]cf - GET /A1sKVBhWEFgaABgEGVUHQhBYC1dIUgJLVwNVH1EZUgJIAFEEGQNSAlEOUwBeBlxLUE4KViFtLEoteCdOGQM
2015-07-03 22:34:42 UTC - gastone[.]cf - GET /A1sKVBhWEFgaABgEGVUHQhBYC1dIUgJLVwNVH1EZUgJIAFEEGQNSAlEOUwBeBlxLUk4KViFtLEoteCdOGQM

2015-07-03 22:57:07 UTC - www.gtrlife[.]com - GET /
2015-07-03 22:57:09 UTC - 136.243.25[.]241 - alekaasandmeens[.]com - GET /V_OhYJ-_KxrMXsRZgUi-zWn/-xhow_-NYUn-PMrLy/-sTzu_-.js?
hJwg=7r9&8bSOWMz-y=Gf4&u=eIa&v0wxZ=2V1&SuoV21Z=nb4-&MINlxtU=wap2&Y_toz7C=0N6q&-lex-f=12&MkVHnT5-W=Q1-4p

2015-07-03 22:57:14 UTC - altone[.]ml - GET /TwcADB5USlQJEA0LUxsICA.html
2015-07-03 22:57:15 UTC - altone[.]ml - GET /U00VGBtXU10ZVR5WSlQJEA0LUxsICB5WBxtWSlNQABtdUh5UAgZQXVRRBAZRGAQJBw
2015-07-03 22:57:16 UTC - altone[.]ml - GET /UFwJAR4cBFANGFMZBUkECBYKWFBLCQ4ZBQRLV0xUAwNLXFQZBwFWUVtTAgdWUB5SSnkOHAgTflEcAh5U

2015-07-03 23:57:29 UTC - rugerforum[.]net - GET /
2015-07-03 23:57:30 UTC - 136.243.25[.]241 - sansaiaarias[.]com - GET /SJx_Rpi-Vg-qMm-OK-vzIHLsX/K_M_NV/qtLJlWguN_zH-S_/xgqM_novZR_Q.js?
GqpC=0a91ef013f9&n=0TfedTdRe-54V8ud3&kje03ymu1=fX

2015-07-03 23:57:53 UTC - altone[.]ml - GET /U1wHFB5USlQJEA0LUxsICA.html
2015-07-03 23:57:54 UTC - altone[.]ml - GET /U00VGAcMVEUZVR5WSlQJEA0LUxsICB5UBgxLVVRcGARSSlNSD0lUUFFQDwNSXFVRSlMJVQ
2015-07-03 23:57:55 UTC - altone[.]ml - GET /UFwJAR4AX1cVGFMZBUkECBYKWFBLCQ4ZBwVcSlNTDxtUU0xUAQwZVVZWAwxTU1pSAklQGAcJWGE9PgcMSgQ
2015-07-03 23:57:57 UTC - altone[.]ml - GET /UFwJAR4AX1cVGFMZBUkECBYKWFBLCQ4ZBwVcSlNTDxtUU0xUAQwZVVZWAwxTU1pSAklSGAcJWGE9PgcMSgQ

2015-07-04 13:32:53 UTC - www.visajourney[.]com - GET /
2015-07-04 13:32:55 UTC - 136.243.25[.]242 - margaritailles[.]com - GET /YskhVUK-/J_Ol_-j-/v_iy-N.php?
ME=93&PYlKOX=bOe&o=a9&-=c_6&q-3Y=dh5&9avl-Dkm=eX3&noeO-09-d=62-&u3=e9&x=8S0

2015-07-04 13:33:04 UTC - centfou[.]gq - GET /V1QCD14GTlJOAVAKRgVdFxsDQw.html
2015-07-04 13:33:05 UTC - centfou[.]gq - GET /VxtCHlBTAg5ZAElVTlBOAVAKRgVdFxsDQx8HTARUAE0DVQRKA1BOUwFXBFMDVAJcBx9UDgQ
2015-07-04 13:33:06 UTC - centfou[.]gq - GET /VApeB0kBBVNfCVcYAx8BHlYBXBdUDUBKVRJOVxtVAlEcUwJVHFIBHgRQAVUCUwNTClZOV0kQRg1zFV0Rah8D
2015-07-04 13:33:08 UTC - centfou[.]gq - GET /VApeB0kBBVNfCVcYAx8BHlYBXBdUDUBKVRJOVxtVAlEcUwJVHFIBHgRQAVUCUwNTClZOVUkQRg1zFV0Rah8D

2015-07-04 15:25:25 UTC - www.gm-trucks[.]com - GET /
2015-07-04 15:25:26 UTC - 136.243.25[.]242 - hillarytone[.]com - GET /lnJqt--wxI-k_XzS_viQrNp/XsmYNizuj/tKlNkyQpoxTsPZH_jqOzW_w.php?
KX9=46T&Rr4=ac&gNKR=1k3&FXCc=0_s2&dcwhJC_=b2Z&S8Jm=b_dt&5EZNi=a7K&Vq-KA-H-=c7

2015-07-04 15:25:32 UTC - centfou[.]gq - GET /RVFZAQUYAx9RB1sQVAxHTFIV.html
2015-07-04 15:25:33 UTC - centfou[.]gq - GET /VxtCHkJWWQACHgQYAR9RB1sQVAxHTFIVTlsCTAdQAU0DWgVKA1cKHgRQAVUCUAZRAVBOBFlV
2015-07-04 15:25:34 UTC - centfou[.]gq - GET /VApeB0kTAAhRUklVTlBOAVAKRgVdFxsDQx8KUhtWBlAcUw1UHFIGWklVBlAEUgdXB1ABHgIYZQx_EnMYAw

2015-07-04 19:23:59 UTC - www.i-programmer[.]info - GET /
2015-07-04 19:24:01 UTC - 136.243.227[.]9 - epittowds[.]pw - GET /wXZVqy-Jkj--NptHi-S_PxK_u/WgwmVLlNnvtjYZUh/-wPTVtK-QMlUu_WRZ-G-oNY.js?
q_f=98J&-eqnoOJK-=e0&ev4gRQM=64&n=1y6&wVEBzCP=m5eZ&zbHkIG=et8&1pA=0

2015-07-04 19:24:10 UTC - betsfoi[.]ga - GET /WhkDVFYCS1BPAFYXRAdcCx0EVg.html
2015-07-04 19:24:11 UTC - betsfoi[.]ga - GET /UhlDHl4bB1dWA09SS1JPAFYXRAdcCx0EVh0EWh1SBVgdUwZTGVYEHgJXBFcDUQRbAlFPBF9S
2015-07-04 19:24:11 UTC - betsfoi[.]ga - GET /UQhfB08OT1EFB1IfBh0AHlEGQxJVDVpNUABPVQtNBlMKTAJWB08EVU9SA1IFUgBUD1QDHgYfVBNHOlE5dR0C
2015-07-04 19:24:15 UTC - betsfoi[.]ga - GET /UQhfB08OT1EFB1IfBh0AHlEGQxJVDVpNUABPVQtNBlMKTAJWB08EVU9SA1IFUgBUD1QDHgQfVBNHOlE5dR0C

2015-07-05 03:10:42 UTC - writingcommons[.]org - GET /
2015-07-05 03:10:46 UTC - 136.243.25[.]241 - glamdiarysnow[.]com - GET /zj-ISV-XNL-ktQrihgZs-T-Yp/-OMrW_kHLpJxiZQRn-IT--t.js?
Z-m=Q9fn6ra2db0d1&C=b6_27cY915nfeM&uTd8=v31f7-5tcw4Za8d

2015-07-05 03:10:53 UTC - bluebit[.]ga - GET /R1MMExoJSlUIFwNaX0NKBQc.html
2015-07-05 03:10:54 UTC - bluebit[.]ga - GET /U08UHhdcXkYYUxoLSlUIFwNaX0NKBQdEAA5KV1EWBwFRTFcBBEtVVlUOBgFRWlMMSlEIUw
2015-07-05 03:10:56 UTC - bluebit[.]ga - GET /UF4IBxpJUl8VHldEBUsGDhNdVF4QTAFZSgFdTFMPGAZSV0gJDwUYU1ILAAdSV14NAktTHgdPeHgBEhoJ

2015-07-05 14:22:07 UTC - www.acne[.]org - GET /messageboard/
2015-07-05 14:22:08 UTC - 136.243.25[.]242 - melodiimilii[.]com - GET /hMVQixXy_s-/OI-RSzXroP-m/XLxpomzKGn-/Y___i-tmZ-khzpSsQ.php?
-N=0l1784u497G8c82Zf2fdx2Yb

2015-07-05 14:22:13 UTC - bluebit[.]cf - GET /AAVSQBpUHVZZTAMHCEAbWgA.html
2015-07-05 14:22:13 UTC - bluebit[.]cf - GET /BExFRQdUBk1JCBpWHVZZTAMHCEAbWgAZVBoDC0hUVBoECV4ZUAAGD1dVVwUGChoDDQU
2015-07-05 14:22:14 UTC - bluebit[.]cf - GET /B11ZXBoEUFNMRVcZUkhXVRMAA11BFwUDHQEbD1RLUAEbCFZdHQUBClBUUQIEClUZVEhday0oFG1FSDQIHQU
2015-07-05 14:22:16 UTC - bluebit[.]cf - GET /B11ZXBoEUFNMRVcZUkhXVRMAA11BFwUDHQEbD1RLUAEbCFZdHQUBClBUUQIEClUZVkhday0oFG1FSDQIHQU

2015-07-05 19:50:34 UTC - www.iwsti[.]com - GET /
2015-07-05 19:50:35 UTC - 136.243.224[.]10 - nealychy[.]com - GET /pP-L___Nrlt-RmGsiJKo/M-ptrJNOqn-moK_v.js?
RrfM6hwq=ab3d6_e&IAbRr=bJ6f1eo4&YKmCU=dwcR4Lb_c3P&atxe=gaYM62wa2ia&x=5Q

2015-07-05 19:50:39 UTC - fellinio[.]cf - GET /Wl9VUB4CS1FSWw5aWV5YGQFV.html
2015-07-05 19:50:40 UTC - fellinio[.]cf - GET /Uk9HSw9bVVBLBh4AS1FSWw5aWV5YGQFVSwIHGVQDGQYEA0wCAwRLBlYAAQYFAloADktRW1M
2015-07-05 19:50:41 UTC - fellinio[.]cf - GET /UV5bUh5eX1VQS1NPBEtRUg5fXlleWExQUUsCB0wFBxkGBFYdBgMES1MHBAEGBVcLBA5LAB5LRHtDZChnSwY

2015-07-05 20:11:43 UTC - www.depressionforums[.]org - GET /forums/
2015-07-05 20:11:44 UTC - 136.243.25[.]242 - bestmylikex[.]com - GET /Z-wjYS__HzNIyXpqQm_is/mh_r_T/-t/Tvkjq--GpRuMJt.js?
ehx=b8s7d-&C3Q=G4V0LdRd&C=T2-0n3Rd-&qZL=fjaeaQ&_j3-5=bSL37j9&-XSkC0qE=9c7Ve

2015-07-05 20:12:02 UTC - fellinio[.]cf - GET /UQRYS1NPUVJbWwtdXlgZVAQ.html
2015-07-05 20:12:04 UTC - fellinio[.]cf - GET /Uk9HSwQAWEsGS1FPUVJbWwtdXlgZVARPBgcEGVMBGQ4ZBlcDSwYDBFQCBQAGBVBPUVsG
2015-07-05 20:12:06 UTC - fellinio[.]cf - GET /UV5bUh5VBFhLBh4AS1FSWw5aWV5YGQFVSwYHBEwCBRkOGVMGB0sGA1EFBgUABlABSwBLZjVpekFATglmSwY

Click here to return to the main page.