2015-11-12 - NUCLEAR EK FROM 104.236.62.254 SENDS CRYPTOWALL 3.0

ASSOCIATED FILES:

 


Shown above:  CryptoWall 3.0 decrypt instructions (in German).

 

TRAFFIC

ASSOCIATED DOMAINS:

 

INITIAL WEBSITE AND REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS


Shown above:  Events from the ET and ET Pro rulesets after using tcpreplay on the pcap in Security Onion running Suricata.

 


Shown above:  Events from the Snort registered ruleset after reading the pcap with Snort 2.9.7.6.

 

PRELIMINARY MALWARE ANALYSIS

NUCLEAR EK FLASH EXPLOIT:

File name:  2015-11-12-Nuclear-EK-flash-exploit.swf
File size:  111.2 KB ( 113,909 bytes )
MD5 hash:  75d21a2da0fc483291182e4697bdba4d
SHA1 hash:  f595b52b1dc729d3fb953d53db1acbe704b50de6
SHA256 hash:  c7129515960990dd2297f1f76db9bb2026c1ece9323101770833411e2c6500fa
Detection ratio:  1 / 53
First submission:  2015-11-12 18:11:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c7129515960990dd2297f1f76db9bb2026c1ece9323101770833411e2c6500fa/analysis/

 

NUCLEAR EK MALWARE PAYLOAD (CRYPTOWALL 3.0):

File name:  2015-11-12-Nuclear-EK-payload-CryptoWall-3.0.exe
File size:  169.5 KB ( 173,570 bytes )
MD5 hash:  3b99b8fc9dbed7362325644548829451
SHA1 hash:  311ac9cef19664407fa4420f816b55adf9912193
SHA256 hash:  5f738bbc131728340a70ad6314aa6942b8798d31cdb1d8621718afdcd7237070
Detection ratio:  3 / 53
First submission:  2015-11-12 18:11:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5f738bbc131728340a70ad6314aa6942b8798d31cdb1d8621718afdcd7237070/analysis/
Malwr.com link:  https://malwr.com/analysis/YWI3NzM2OTA4MzE5NDQ1ZjlkM2YwMWNkOGZlNjc1NDE/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/5f738bbc131728340a70ad6314aa6942b8798d31cdb1d8621718afdcd7237070?environmentId=1

 

IMAGES


Shown above:  Malicious script from the redirect domain.  Hex-encoded string hiding a malicious URL is highlighted.

 


Shown above:  Decrypting the hex-encoded string from the redirect shows the Nuclear Ek landing page URL.

 


Shown above:  Had to go through a tor browser to get at the ransom payment's Bitcoin address.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.