2015-11-15 - BIZCN GATE ACTOR NUCLEAR EK FROM 212.231.129.35

ASSOCIATED FILES:


The payload?  It's our old friend, CryptoWall 3.0.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

COMRPOMISED WEBSITE AND BIZCN-REGISTERED GATE:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

NUCLEAR EK FLASH EXPLOIT:

File name:  2015-11-15-BizCN-gate-actor-Nuclear-EK-flash-exploit.swf
File size:  83.1 KB ( 85,118 bytes )
MD5 hash:  773adb8700f651493f90a04a43bcf3aa
SHA1 hash:  fd6f68a254d28f6dfd51f24a741a66e8a8e6fd57
SHA256 hash:  44cbac05634c6896ef34f1f128d2556f2c01de91d59f512660a6e8130311a2c6
Detection ratio:  1 / 53
First submission:  2015-11-16 17:18:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/44cbac05634c6896ef34f1f128d2556f2c01de91d59f512660a6e8130311a2c6/analysis/

 

NUCLEAR EK MALWARE PAYLOAD (CRYPTOWALL 3.0):

File name:  2015-11-15-BizCN-gate-actor-Nuclear-EK-malware-payload.exe
File size:  185.3 KB ( 189,707 bytes )
MD5 hash:  ef847fdc004c861d543d629990ab1973
SHA1 hash:  d59e67f25d0eb14dd0fb6676b78c79bf5c9b3aa4
SHA256 hash:  dd47fc16e8c6c15e38a935738d6d3c90dc35d2d17a3abb2175d7a36dca0db0ee
Detection ratio:  6 / 54
First submission:  2015-11-16 04:47:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dd47fc16e8c6c15e38a935738d6d3c90dc35d2d17a3abb2175d7a36dca0db0ee/analysis/
Malwr.com link:  https://malwr.com/analysis/YjA1NWM5Zjc2MzgwNDM2YjhhYmMzODUyZjYwZTNhYTg/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/dd47fc16e8c6c15e38a935738d6d3c90dc35d2d17a3abb2175d7a36dca0db0ee?environmentId=1

 

ARTIFACTS ALSO FOUND ON THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Pcap of the traffic displayed in Wireshark, filtered on http.request.

 


Shown above:  Malicious script injected in page from compromised website

 


Shown above:  Malicious script returned from the BizCN-registered gate.  Highlighted unicode represents the Nuclear EK landing URL.

 


Shown above:  Nuclear EK landing page.

 


Shown above:  Nuclear EK sends a Flash exploit.

 


Shown above:  Nuclear EK sends the malware payload.

 


Shown above:  I ran the malware again and got some more post-infection domains during the CryptoWall 3.0 check-in traffic.

 


Shown above:  Decryption instructions with the bitcoin address for the ransom payment.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.