2015-09-18 - NUCLEAR EK FROM 178.62.72.26 - OAACDERESFTU.TK

PCAP AND MALWARE:

 

NOTES:

 


Shown above: EmergingThreats events after using tcpreplay on the pcap in Security Onion.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:


Shown above: injected script in page from the comrpomised website.

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-09-18-Nuclear-EK-flash-exploit.swf
File size:  59.6 KB ( 61003 bytes )
MD5 hash:  c5d8570ec474f9d60927a695d56f24b2
SHA1 hash:  079b6bef4ec194c26c2446979773662a2589c33c
SHA256 hash:  264e4ada0f4dccad2566c7a65fd14331cc75d8004085c9f75a89dcabbc15d7a1
Detection ratio:  1 / 56
First submission:  2015-09-18 17:48:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/264e4ada0f4dccad2566c7a65fd14331cc75d8004085c9f75a89dcabbc15d7a1/analysis/

 

MALWARE PAYLOAD 1 OF 2:

File name:  2015-09-18-Nuclear-EK-malware-payload-1-of-2.exe
File size:  119.5 KB ( 122320 bytes )
MD5 hash:  aac02336420ccbfab665ff540f6ea64c
SHA1 hash:  8d27daed2d11f0be4baa2fc9c5acb5b3e3ba2d16
SHA256 hash:  1bb07d0a894f8993f00c3efa6b02b28e29e14cd4c624b034917147fffe0d01e9
Detection ratio:  4 / 56
First submission:  2015-09-18 17:13:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1bb07d0a894f8993f00c3efa6b02b28e29e14cd4c624b034917147fffe0d01e9/analysis/
Malwr link:  https://malwr.com/analysis/YWYyYWQ2YWVjYjAxNDVlZWJmZGU5ZmYxOWUwZDEwMDA/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/1bb07d0a894f8993f00c3efa6b02b28e29e14cd4c624b034917147fffe0d01e9?environmentId=4

 

MALWARE PAYLOAD 2 OF 2:

File name:  2015-09-18-Nuclear-EK-malware-payload-2-of-2.exe
File size:  785.5 KB ( 804352 bytes )
MD5 hash:  67fefb283d13612ac25158ec091c4ce4
SHA1 hash:  beb72b957c58ed3d4a6a6145452f4dc1aab538ff
SHA256 hash:  8e1fa4954c53d4156370dec97c6d8f857db1017692a8e7ffbdededbcb930cfb3
Detection ratio:  39 / 55
First submission:  2015-05-05 20:00:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e1fa4954c53d4156370dec97c6d8f857db1017692a8e7ffbdededbcb930cfb3/analysis/
Malwr link:  https://malwr.com/analysis/YzhmOGVkMGMxYTk0NDAxMmE1MjI4NWQ4ZWZlMjRhZTc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/8e1fa4954c53d4156370dec97c6d8f857db1017692a8e7ffbdededbcb930cfb3?environmentId=4

 

OTHER FILE ON INFECTED HOST:

NOTE: This malware exhibited some of the same characteristics as malware payload 2 of 2.
File name:  C:\Users\username\AppData\Local\Temp\37577C28.exe
File name:  C:\ProgramData\Drivers\csrss.exe
File size:  865.0 KB ( 885760 bytes )
MD5 hash:  a33bd7f15f886aa1bb9ec3a7d48765c0
SHA1:  4860e85ea05229954596190032d9d0e98a10a281
SHA256:  65f4c3513058984576901221c97b4c884a1e1672591ccea455f49f84c7ef3960
Detection ratio:  33 / 56
First submission:  2015-09-17 01:44:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/65f4c3513058984576901221c97b4c884a1e1672591ccea455f49f84c7ef3960/analysis/
Malwr link:  https://malwr.com/analysis/ZDdmNDA5MzkyMjIxNDdhNGIxNzExZmM3NWExMWYwNTU/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/65f4c3513058984576901221c97b4c884a1e1672591ccea455f49f84c7ef3960?environmentId=4

 

SCREENSHOTS

Below is a screenshot fo the infected Windows desktop:

 

The text files dumped to the desktop all have the same message and same email addresses to discuss the ransom payment:

 

The first thing I'll do after infecting a Windows host is review the traffic, filtering on http.request.  In this case, The infected host performed scanning or brute force login attempts to various Wordpress sites.  There's more than the ransomware going on here:

 

If you check the Nuclear EK traffic, you'll find two malware payloads were passed.  They're easy to spot because of the repeating ASCII patterns in the data passed.  As I've noted before in some previous blog entries a while back, Nuclear EK XORs the malware payload with an ASCII string.

 

To get an idea of the http and other TCP traffic (SSL, etc), I'll usually use this filter: http.request and (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

The traffic on ports 443, 9001, and 9010 is SSL traffic.  In this case, it's TOR traffic caused by the malware.  Filter on http.request or ssl.handshake.extensions_server_name to see the the server names used in the TOR traffic.  For how to display ssl.handshake.extensions_server_name as a column in Wireshark, click here.

To deocode SSL traffic on non-standard SSL ports in Wireshark, from the menu, use Analyze --> Decode As...  To see everything you've set up to decode as a particular protocol, use Analyze --> User Specified Decodes...

 

One of the TCP streams over port 80 was also SSL TOR traffic.  Use Analyze --> Decode As... to properly parse this TCP stream.

 

I also noticed some unencrypted callback traffic from the infected host over 217.23.8.164 port 80 that wasn't HTTP.

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.