2015-09-22 - NUCLEAR EK FROM 46.101.165[.]112 - BAGREWAKOKUGRE[.]ML

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-09-22-Nuclear-EK-traffic.pcap.zip
• 2015-09-22-Nuclear-EK-malware-and-artifacts.zip
• 2015-09-22-Nuclear-EK-payload-traffic-from-malwr-analysis.pcap.zip

 

Shown above: Squil after using tcpreplay on the pcap in Security Onion (set up with Suricata and the EmergingThreats Pro signature set).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• www.egsrentacar[.]com - Compromised website
• 37.9.53[.]85 port 80 - l2-bob[.]cf - Redirect/gate
• 46.101.165[.]112 port 80 - bagrewakokugre[.]ml - Nuclear EK
• 103.49.205[.]15 port 80 - www.aspcnc[.]co[.]nz - Post-infection traffic

• 82.98.151[.]211 port 80 - barcelonasunglasses[.]eu - Another post-infection domain from malwr.com's analysis of the payload
• 69.175.69[.]250 port 80 - theisitestore[.]com - Another post-infection domain from malwr.com's analysis of the payload
• 198.23.63[.]113 port 80 - visualjogja[.]com - Another post-infection domain from malwr.com's analysis of the payload
• 84.22.161[.]168 port 80 - www.alsans[.]com - Another post-infection domain from malwr.com's analysis of the payload

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-09-22 14:39:11 UTC - www.egsrentacar[.]com - GET /
• 2015-09-22 14:39:15 UTC - l2-bob[.]cf - GET /counter.php

 

NUCLEAR EK:

• 2015-09-22 14:39:15 UTC - bagrewakokugre[.]ml - GET /search?q=bhRWQMUUUNSUwsN&NTXyE=dBXUoLWA..&XpR=aXVpXXRwaUwFEUBhRAE&HFTwU66=69b764ddcb&PRb=0421a9794&OEpMB=cQVN

• 2015-09-22 14:39:16 UTC - bagrewakokugre[.]ml - GET /test?XYmFY=b19GXxYDGllfRFJQGgUL&FQ6=aUUxDRANTQ1xPD1AaBgQCRAYHU0ZWTwUNW&HhSZ7=dAHCl1VBgMGDh&Boafs=25effbd31e&LW9MpP=017b889b0&GSMEe=cD0pQAxoBClIaBQ&RCU9=egAWAc.

• 2015-09-22 14:39:17 UTC - bagrewakokugre[.]ml - POST /test?Jg4=994be0e03&7xgEEHm=aUFxsUhcaUwFEUBgEVVNBXRMHX1tYTQMUURpeVBhQ&G0rD38a=cIAgMdClZQSAUHDFZfBwYEDVIaAwA.&3sS=bAhoCAFN&3uKj=9fd553

• 2015-09-22 14:39:18 UTC - bagrewakokugre[.]ml - POST /test?HBNDq6=180f5f5&5NS5ew=bpXDAM&9mHd=52e4c2b&Pzgkkz=aUFxsXggHR1xPX1ERXEhRWQMUUUNSUwsNQVNBXUoLWEgFDk&MxCv=cdDlNIBgYFRFVSAAYKC1ZRAQJPD1A.

• 2015-09-22 14:39:20 UTC - bagrewakokugre[.]ml - GET /cart?BZG8gW=0f4181afdd&PhgeLIX=bNBXRMHX1tYTQMUURp&W7rI=ceVBhQAhoCAFNIAgMdClZ&Bi4=aUl1fXRgBAUNbRFNSSAYDCRgEVV&N3Gw=dQSAUHDFZfBwYEDVIaA0hZaxUWUFBAQDEpSAU.&0kIZ1=7e451bb1

 

POST-INFECTION TRAFFIC:

• 2015-09-22 14:40:00 UTC - www.aspcnc.co[.]nz - POST /
• 2015-09-22 14:40:00 UTC - www.aspcnc.co[.]nz - POST /
• 2015-09-22 14:40:01 UTC - www.aspcnc.co[.]nz - POST /
• 2015-09-22 14:40:01 UTC - www.aspcnc.co[.]nz - POST /

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-09-22-Nuclear-EK-flash-exploit.swf
File size:  59.6 KB ( 60995 bytes )
MD5 hash:  917e9794bd819a35ff1fd4bc378232e4
SHA1 hash:  bcfb2c9a7206ce9c1260fa49e4b2f5dacd0a717a
SHA256 hash:  bd0c59c6e5bddb277120789e2341b0bc099f9016d664d9a4e25f21804d72f073
Detection ratio:  1 / 56
First submission:  2015-09-22 15:54:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bd0c59c6e5bddb277120789e2341b0bc099f9016d664d9a4e25f21804d72f073/analysis/

 

MALWARE PAYLOAD:

File name:  2015-09-22-Nuclear-EK-malware-payload.exe
File size:  632.1 KB ( 647281 bytes )
MD5 hash:  2e3a61907992a8f6c49cd558cfbfa831
SHA1 hash:  23be081d349acdb6b3832f50cf669b177bfd0c67
SHA256 hash:  a2a97efaa0914a1d91a10df523a72a2d514552b82c7bb80947083ea57766d3b7
Detection ratio:  4 / 56
First submission:  2015-09-22 15:53:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a2a97efaa0914a1d91a10df523a72a2d514552b82c7bb80947083ea57766d3b7/analysis/
Malwr link:  https://malwr.com/analysis/MjllOGI2ODI4NTYwNDhlZmEwYTdjMzdlZjJmOTJkN2U/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/a2a97efaa0914a1d91a10df523a72a2d514552b82c7bb80947083ea57766d3b7?environmentId=4

 

 

SCREENSHOTS

Below is a screenshot showing the malicious script injected into a page from the compromised web site:

 

What's an easy way to confirm this is the script that cause the HTTP GET request for the redirect/gate?  Dump the script into a web page by itself, then change the "eval" to "alert" as shown below.  That should cause a pop-up window in your browser that might show the deobfuscated script:

 

Below is the pop-up window I got from a browser.  At the very end is the an iframe, somewhat obfuscated, but you can still see find the gate URL within the area I've noted in the image.  Before that, you'll also find a slightly obfuscated URL for 2zz3[.]cf/stat.php.  When I checked, 2zz3[.]cf resolved to the same IP address as l2-bob[.]cf.

 

Click here to return to the main page.