Malware-Traffic-Analysis.net - 2015-09-15 - Nuclear EK from 162.247.14[.]136 sends TeslaCrypt 2.0 ransomware

2015-09-15 - NUCLEAR EK FROM 162.247.14[.]136 SENDS TESLACRYPT 2.0 RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

NOTES:

More information on TeslaCrypt 2.0 ransomware can be found at: https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/

TRAFFIC

ASSOCIATED DOMAINS:

162.247.14[.]136 port 80 - zaprolikilavandu[.]tk - Nuclear EE
myexternalip[.]com - IP address check by the ransomware
79.96.20[.]98 port 80 - majowy[.]info - TeslaCrypt 2.0 ransomware callback traffic

NUCLEAR EK:

2015-09-15 02:31:58 UTC - zaprolikilavandu[.]tk - GET /search?q=cXw9SR1JeU&XQ5=dhYdR&T8m=gg.&N7Fc=3827ff87b&BhHBTll=e&9Jp=fV&
QKEr=8f95074&UMnR=blRRhFcXVpb&DEPauUE=aWF1UUxtPV1leBh8ATU

2015-09-15 02:32:00 UTC - zaprolikilavandu[.]tk - GET /test?7xLW=61c72fb72b&J87=elIHBQECDlcAAAtMUA8A&8Nwx=dEeBFUdAAIBS&
KEl7VF=aVEtASgVZXwNMBR8CA09KVxNBXl9ZXQ&W9w6=cbSlYdBw&O4ipy=9618066&QWkmA=bpfUEVRWAdGH0d

2015-09-15 02:32:01 UTC - zaprolikilavandu[.]tk - POST /document.shtml?AyTBzf=dcDB1tPAg..&2p3=cQIEAlEBCQ&K5KZg9V=39c55f1f&
IKqkqt=bAFEdAwUeB1ICT&VMMNWk=0142839&GyUVanN=aVVtvXBBPV1leBh9JUENCWQ9aWlpcVxVSX1dFGBdYTQYe

2015-09-15 02:32:02 UTC - zaprolikilavandu[.]tk - GET /cart?4MmuIh=dFEFHwIBB&X9Ff6=589d6524&OfBr0l0=aV1pcUx9VW10ASlBPAAFMTAJDQ1xcX&
UCc=94a563&FbAUh=cEXR8GHwUCG&FGEaoV2=ex8CBQcCBFsHAgIISlRPWlBHYTZ-Ykl8fx8C&Bv1G=bwhaXVJGVw1XRB1

POST-INFECTION TRAFFIC:

2015-09-15 02:32:10 UTC - myexternalip[.]com - GET /raw

2015-09-15 02:32:11 UTC - majowy[.]info - GET /wp-content/plugins/wp-handy-lightbox/misc.php?98C347241FB030F610988E328A0E8D25C31B455C0CDEC46BDFA05C
2660ABA0C9E9F708C6FA779143C53429A5A5F1A0892DDC315088D858E0AF0C5A002FB401188F68B670C2516C83383AB439E58965604815644F8083424A5B81256
CB6F600EA29B72DE917AA508934B15A6A9A4E4D9A6FBDAF7586667EED6D3C0FAA848F5F0DFE954E81062213172F454830AD1BBC2A4B2CB83E389C19F312F737
1C1CAA33B06F3042CB20E44797D684C696B019456536A439ECB368A08852ECE209AD759609BF3086DBE9FEDA8E5A3A62DBF6121FA6AAC66D31092EA928EADF
7BD4DC55C86076DBE57142B134AA36FB236E85037DA439E88770A0CBC4F4C2A8C6F5B25C19EBAC64192CF2A91ABF64F72440EEFDB504D618C6C94120607771
CDDB87EB5002ED7541DBBB2AB924140FF33E79BC73F91C0875DE9BA7F1B9E79D27A38BA2DF8B9957D3B98015DF944377A095DC869480E368D44694351808388
DFA74547C21D3D0

Click here to return to the main page.