2015-10-18 - BIZCN GATE NUCLEAR EK FROM 5.175.148.193 SENDS CRYPTOWALL 3.0

ASSOCIATED FILES:

 

NOTES:


Shown above:  User checking one of the decryption instructions web pages.

 

CHAIN OF EVENTS


Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

 

COMRPOMISED WEBSITE AND REDIRECT/GATE:


Shown above:  Injected script in page from the compromised website.

 

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

USER CHECKING THE DECRYPTION INSTRUCTION WEB PAGES:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-18-BizCN-gate-actor-Nuclear-EK-flash-exploit.swf
File size:  59.7 KB ( 61116 bytes )
MD5 hash:  95278a4debde40fea520a1895d200f8f
SHA1 hash:  e0c2d4d4663bd8aaf05518004a947596e4806af8
SHA256 hash:  d8883383dcbc71f75ab855f84d292697474b8bbebdaee109698e0d68f4a4194b
Detection ratio:  4 / 56
First submission:  2015-10-20 15:29:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d8883383dcbc71f75ab855f84d292697474b8bbebdaee109698e0d68f4a4194b/analysis/

 

MALWARE PAYLOAD:

File name:  2015-10-18-BizCN-gate-actor-Nuclear-EK-payload-CryptoWall-3.0.exe
File size:  151.5 KB ( 155146 bytes )
MD5 hash:  2d814564ff4574bd423496bdd6105c24
SHA1 hash:  235d0914151a37b46178279f4793fc52acad2cfb
SHA256 hash:  ac24889f515b094fdf81f3d0144fb97357484a5b01bd65ac3e4b68c34b7c28c2
Detection ratio:  30 / 56
First submission:  2015-10-18 03:29:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ac24889f515b094fdf81f3d0144fb97357484a5b01bd65ac3e4b68c34b7c28c2/analysis/
Malwr link:  https://malwr.com/analysis/NWMwMzk4MjU3MjdjNDllMjlkNzNjZmIwZTE3NmNiZTU/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/ac24889f515b094fdf81f3d0144fb97357484a5b01bd65ac3e4b68c34b7c28c2?environmentId=1

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.