2015-09-29 - NUCLEAR EK FROM 162.247.14[.]204 - KOLENKOVOLODKI[.]CF

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-09-29-Nuclear-EK-traffic.pcap.zip
• 2015-09-29-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• Two payloads from Nuclear EK.  One was TelsaCrypt 2.0 ransomware and the other was something else (maybe Necurs).
• There was some click-fraud and non-DNS UDP traffic I didn't include in the write-up, so please review the pcap for details not shown below.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 188.128.190[.]83 port 80 - roninsnowboards[.]com - Compromised website
• 162.247.14[.]190 port 80 - yidjskdfjskdfsdf[.]tk - Redirect
• 162.247.14[.]204 port 80 - kolenkovolodki[.]cf - Nuclear EK
• See below for some of hte post-infection traffic

 

INFECTION TRAFFIC:

• 2015-09-29 15:36:47 UTC - roninsnowboards[.]com - GET /

• 2015-09-29 15:36:49 UTC - yidjskdfjskdfsdf[.]tk - GET /052F

• 2015-09-29 15:36:52 UTC - kolenkovolodki[.]cf - GET /search?q=3dbbe50e&W4t1O=cUDFRa&TwPvo=bBAxEV0xaClldDVteE1p&SqSxfsb=fbBQ&4SKQkiN=
  g..&MlBRoZN=e&V4hWTK=aCl5VAE1EAkRX&TIgR=dDBt&BHJ8W=38cc0721

• 2015-09-29 15:36:54 kolenkovolodki[.]cf - GET /document.shtml?Yyqa4=cUkJVwQCU&LjG=aBkhBGVRMBVEIGQFEUgVN&Hg24a=dAEJ&D62Yr7T=
  bDlpUBl5aCkNXD19VDlwWAFZNVgIWVwYfVAQOTQEJU&9WSpwgX=1f01f82c&5H79jT=eUwECGVNUUA..&BIwW1=871316ae05

• 2015-09-29 15:36:55 UTC - kolenkovolodki[.]cf - POST /file?FVH3=aB1huD0ZEAkRXBAxECF9dAFtTDEZeCVpcCFkfBlNEUAcfUQMWUg&SYqpA8=
  bEHSwQAV0w&76o4=0db0c48&AuI=fLHwQ.&AxYu6Po=eQQ&XP4=dAV&Tw8m=90f815bba&NAdB3c=cAUQELVgQ

• 2015-09-29 15:36:55 UTC - kolenkovolodki[.]cf - POST /document.shtml?SyF3=2cb01ca&IGb7D0=bVDlwWAFZNVg&CwwkT=2b144671&UU6vXi=
  dQCUAEJUwECGQE.&Xq5=cIWVwYfVAQOTQEJUUkJVw&H1XfG1=aB1huA1lZEFhNBEFeAglNDlpUBl5aCkNXD19

• 2015-09-29 15:36:59 UTC - kolenkovolodki[.]cf - GET /order?QO7b=bNXGQYPTQQHSwQJVR4AXQFEUgQFVgAMU&9xRFqVA=aBVldAElZF1ZQXEkMH
  wIBGV5XD1VfDlpODFxeAV5RTV&ZPa3P=116202551&CyiH=cgAA&OPrZE=gwD&OQtV1t=dVkkPH&ZHJf=fG0&Qh6wH27=81843062b&GRh=e1R1KEFu

• 2015-09-29 15:37:00 UTC - kolenkovolodki[.]cf - GET /cart?XCkwAz=aBVldAElZF1ZQXEkMHwEEGV5XD1VfDlpODF&Nxapn=bxeAV5RTVNXGQYPTQQH
  SwQJVR4AXQFEUg&M07cW=12d859&BHIw=59023e7&GW35D02=cQFVgAMUgAAVkkPH1drAXtOJFt0GQQ.

 

POST-INFECTION TRAFFIC:

• 2015-09-29 15:37:06 UTC - myexternalip[.]com - GET /raw
• 2015-09-29 15:37:07 UTC - 103.21.59[.]28 - hotelshyamregency[.]com - GET /wp-includes/js/thickbox/misc.php?E3A52264CF4279[very long string]
• 2015-09-29 15:37:31 UTC - 103.21.59[.]28 - hotelshyamregency[.]com - GET /wp-includes/js/thickbox/misc.php?572A56481F78D9[very long string]
• 2015-09-29 15:37:47 UTC - 143.95.87[.]76 - motherbeing-news[.]com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:37:49 UTC - 192.186.255[.]0 - mindfucktoys[.]com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:37:51 UTC - 192.185.16[.]111 - mommycums[.]com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:37:58 UTC - 160.153.94[.]33 - musictocheer[.]com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:00 UTC - 141.101.3[.]36 - 731pro[.]pw - POST /gate777.php
• 2015-09-29 15:38:02 UTC - 143.95.87[.]76 - motherbeing-news[.]com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:38:02 UTC - 192.95.31[.]85 - syedali-hajveri[.]com - GET /crypt914.exe
• 2015-09-29 15:38:04 UTC - 192.186.255[.]0 - mindfucktoys[.]com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:38:06 UTC - 192.185.16[.]111 - mommycums[.]com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:38:06 UTC - 178.159.112[.]110 - 731pro[.]pw - POST /gate777.php
• 2015-09-29 15:38:12 UTC - 160.153.94[.]33 - musictocheer[.]com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:18 UTC - 159.224.247.95 - 731pro[.]pw - POST /gate777.php
• 2015-09-29 15:38:18 UTC - 143.95.87[.]76 - motherbeing-news[.]com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:38:20 UTC - 213.180.204[.]3 - ya[.]ru - GET /
• 2015-09-29 15:38:20 UTC - 192.186.255[.]0 - mindfucktoys[.]com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:38:21 UTC - 192.185.16[.]111 - mommycums[.]com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:38:22 UTC - 143.95.87[.]76 - motherbeing-news[.]com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:38:26 UTC - 192.186.255[.]0 - mindfucktoys[.]com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:38:28 UTC - 192.185.16[.]111 - mommycums[.]com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:38:29 UTC - 160.153.94[.]33 - musictocheer[.]com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:31 UTC - 141.101.3[.]36 - 731pro[.]pw - POST /gate777.php
• 2015-09-29 15:38:34 UTC - 160.153.94[.]33 - musictocheer[.]com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:35 UTC - 46.119.105[.]213 - 731pro[.]pw - POST /gate777.php
• 2015-09-29 15:38:47 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /[[[[redacted]]]]
• 2015-09-29 15:38:48 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/style.css
• 2015-09-29 15:38:48 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/flags/us.png
• 2015-09-29 15:38:48 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/flags/de.png
• 2015-09-29 15:38:48 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/flags/es.png
• 2015-09-29 15:38:48 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/flags/fr.png
• 2015-09-29 15:38:48 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/flags/it.png
• 2015-09-29 15:38:49 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /captcha.php
• 2015-09-29 15:38:49 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/lb.png
• 2015-09-29 15:38:49 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/rb.png
• 2015-09-29 15:38:50 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/lt.png
• 2015-09-29 15:38:50 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/rt.png
• 2015-09-29 15:38:51 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /favicon.ico
• 2015-09-29 15:38:54 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - POST /[[[[redacted]]]]
• 2015-09-29 15:38:55 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /service.php
• 2015-09-29 15:38:57 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/bitcoin.png
• 2015-09-29 15:38:57 UTC - 85.204.74[.]10 - djru34dnd.lgk749kch8ej[.]com - GET /img/button_pay.png
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /[[[[redacted]]]]
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/style.css
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/flags/us.png
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/flags/fr.png
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/flags/it.png
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/flags/es.png
• 2015-09-29 15:39:07 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/flags/de.png
• 2015-09-29 15:39:08 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /captcha.php
• 2015-09-29 15:39:08 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/lt.png
• 2015-09-29 15:39:08 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/rt.png
• 2015-09-29 15:39:08 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/lb.png
• 2015-09-29 15:39:08 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/rb.png
• 2015-09-29 15:39:09 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /favicon.ico
• 2015-09-29 15:39:12 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - POST /[[[[redacted]]]]
• 2015-09-29 15:39:13 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /service.php
• 2015-09-29 15:39:13 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/bitcoin.png
• 2015-09-29 15:39:13 UTC - 82.211.30[.]250 - ks53kc7s.td45hdrtabc23[.]com - GET /img/button_pay.png

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD 1 OF 2:

File name:  2015-09-29-Nuclear-EK-payload-1-of-2.exe
File size:  114,176 bytes
MD5 hash:  7c9bc9e7a4162ee0c175ef16ffc6b7f4
SHA1 hash:  23afa1bff785e346c892a1306cb3ea17190012ca
SHA256 hash:  50b1d95d1ceaaa23055a7ca8ef2c509fdea590d55ebf24aecb99340e2146ab04
Detection ratio:  18 / 56
First submission:  2015-09-29 16:36:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/50b1d95d1ceaaa23055a7ca8ef2c509fdea590d55ebf24aecb99340e2146ab04/analysis/

 

MALWARE PAYLOAD 2 OF 2 (TESLACRYPT 2.0 RANSOMWARE):

File name:  2015-09-29-Nuclear-EK-payload-2-of-2.exe
File size:  386,963 bytes
MD5 hash:  91f696e9dea1f3ff5cacb892eb517790
SHA1 hash:  eed903d8c7f669b43eecee685c0f12827a4b93f0
SHA256 hash:  4130a04843e19a995a8a3ab0b5219cf84bd6fdde3e7e816522ddf99ac3621681
Detection ratio:  7 / 55
First submission:  2015-09-29 14:15:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4130a04843e19a995a8a3ab0b5219cf84bd6fdde3e7e816522ddf99ac3621681/analysis/

 

Click here to return to the main page.