2015-10-20 - 052F GATE NUCLEAR EK FROM 178.62.143.149 SENDS CRYPTOWALL 3.0 AND ANDROMEDA/GAMARUE

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS


Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 


Shown above:  The pcap filtered in Wireshark for HTTP requests.

 


Shown above:  Injected script in page from compromised website.

 


Shown above:  CryptoWall decrypt instructions.

 

ASSOCIATED DOMAINS:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-20-052F-gate-Nuclear-EK-flash-exploit.swf
File size:  59.7 KB ( 61155 bytes )
MD5 hash:  174ace491c5eae2d979aa28e6b925579
SHA1 hash:  e7991d1f06ee57ae1b8926d1eb6bb8443a76df92
SHA256 hash:  a2c7381288695d45c670dbbaf294a5bf9df750f73c2dc2844c3477db67824245
Detection ratio:  3 / 56
First submission:  2015-10-20 13:49:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a2c7381288695d45c670dbbaf294a5bf9df750f73c2dc2844c3477db67824245/analysis/

 

MALWARE PAYLOAD 1 OF 2 (ANDROMEDA/GAMARUE):

File name:  2015-10-20-052F-gate-Nuclear-EK-payload-1-of-2-Andromeda.exe
File size:  235.0 KB ( 240640 bytes )
MD5 hash:  fd1ec5223e439b74093c812394868027
SHA1 hash:  cefc6e153e8aab7ad80587b22d98b00003db3dab
SHA256 hash:  31f81b5e6854dfee0739c1f8266668622b13f36a5499d98809fcc04603ee7152
Detection ratio:  3 / 56
First submission:  2015-10-20 13:49:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/31f81b5e6854dfee0739c1f8266668622b13f36a5499d98809fcc04603ee7152/analysis/
Malwr link:  https://malwr.com/analysis/YWRiODY0OWI1MDM0NDU2NmI1MDc0ZWMyY2E5YmU2OGE/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/31f81b5e6854dfee0739c1f8266668622b13f36a5499d98809fcc04603ee7152?environmentId=4

 

MALWARE PAYLOAD 2 OF 2 (CRYPTOWALL 3.0):

File name:  2015-10-20-052F-gate-Nuclear-EK-payload-2-of-2-CryptoWall-3.0.exe
File size:  233.2 KB ( 238818 bytes )
MD5 hash:  53343fd8e1a67bd37935012d858f2e0b
SHA1 hash:  82d2543f09a85e038750b915ea3f1c394ec65b92
SHA256 hash:  e970ed2ec0a30a6ed68f4f5075d50971d1ecb8dcb981c30b441da0210b6652e6
Detection ratio:  11 / 56
First submission:  2015-10-20 13:50:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e970ed2ec0a30a6ed68f4f5075d50971d1ecb8dcb981c30b441da0210b6652e6/analysis/
Malwr link:  https://malwr.com/analysis/NTM1NmVkNTA3YTIwNGFkMTljM2FhOTg4ZjdhOTdhOGM/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/e970ed2ec0a30a6ed68f4f5075d50971d1ecb8dcb981c30b441da0210b6652e6?environmentId=4

 

FINAL NOTES

Once again, here are the associated files:

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.