2014-12-12 - RANSOMWARE INFECTION AFTER NUCLEAR EK FROM 128.199.52[.]211 - YQUESRERMAN[.]GA

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-12-12-Nuclear-EK-traffic.pcap.zip  612.7 kB (612,734 bytes)
• 2014-12-12-Nuclear-EK-malware.zip  185.5 kB (185,535 bytes)

 

NOTES:

• I'm finding more Nuclear EK, now that it's been updated and the traffic patterns have changed.
• See my 2014-12-10 blog entry for details on Nuclear EK's new traffic patterns (payload being XOR-ed, etc).
• Unlike the 2014-12-10 blog entry on Nuclear EK, this one was not caused by Operation Windigo, so it has a different payload.
• The malware didn't do anything when I infected the VM earlier in the day.
• I ran the malware on another VM later that evening and got ransomware (see the image below).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 128.199.52[.]211 - yquesrerman[.]ga - Nuclear EK
• 176.9.245[.]80 - bloghersked[.]com - post-infection traffic

 

Nuclear EK:

• 2014-12-12 21:43:07 UTC - yquesrerman[.]ga - GET /AkNVHkgGT0Q.html
• 2014-12-12 21:43:09 UTC - yquesrerman[.]ga - GET /AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA
• 2014-12-12 21:43:11 UTC - yquesrerman[.]ga - GET /ABsJAkhWAkcLGlEaQRlWAAMLQ0BWUF5CGVMFHAJPQ0hXVkBLVQQGT0IOIhMIIw4ffQ
• 2014-12-12 21:43:15 UTC - yquesrerman[.]ga - GET /ABsJAkhWAkcLGlEaQRlWAAMLQ0BWUF5CGVMFHAJPQ0hXVkBLVQQGT0IOCB0uGQEzYlVPRQ
• 2014-12-12 21:43:16 UTC - yquesrerman[.]ga - GET /AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOQB4eEAAU
• 2014-12-12 21:43:17 UTC - yquesrerman[.]ga - GET /ABsJAkhWAkcLGlEaQRlWAAMLQ0BWUF5CGVMFHAJPQ0hXVkBLVQQGT0AOIhMIIw4ffQ
• 2014-12-12 21:43:21 UTC - yquesrerman[.]ga - GET /ABsJAkhWAkcLGlEaQRlWAAMLQ0BWUF5CGVMFHAJPQ0hXVkBLVQQGT0AOCB0uGQEzYlVPRQ
• 2014-12-12 21:43:22 UTC - yquesrerman[.]ga - GET /ABsJAkhWAkcLGlEaQRlWAAMLQ0BWUF5CGVMFHAJPQ0hXVkBLVQQGT08OIhMIIw4ffQ
• 2014-12-12 21:43:25 UTC - yquesrerman[.]ga - GET /ABsJAkhWAkcLGlEaQRlWAAMLQ0BWUF5CGVMFHAJPQ0hXVkBLVQQGT08OCB0uGQEzYlVPRQ

 

POST-INFECTION TRAFFIC:

• 2014-12-12 21:44:23 UTC - bloghersked[.]com - GET /mf_llksxjSOQYxu5lzLdigricqvz2vcvt_jzifnsuoYbufEqAvPhOEip2ntpo3tzjz_yxhr_yhwg_zkbHgSqGyz1
  QBzxPWCvDZppsmufIfatBFvshc1QvAsVZ.html
• 2014-12-12 21:44:36 UTC - bloghersked[.]com - GET /vz_VCvt2jz0iFnSuoYbufVeLulGCbPatHjw9prneWHtwzl7SAsqvcdm9HOin6pcJWwq1gn0lj4lmoe-avD
  ANNtavvas2yxsc_jnzx_bhdhrqzu9gfcb6hYIeHoypfx.html

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (without ET POLICY or ET INFO events):

• 128.199.52[.]211:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014 (sid:2019315)
• 128.199.52[.]211:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
• 128.199.52[.]211:80 - ET CURRENT_EVENTS Nuclear EK SilverLight Exploit (sid:2019917)
• 128.199.52[.]211:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
• 176.9.245[.]80:80 - ETPRO TROJAN Common Downloader Header Pattern UHCa (sid:2803270)
• 176.9.245[.]80:80 - ET TROJAN Win32/Urausy.C Checkin 2 (sid:2016567)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7.6:

• 128.199.52[.]211:80 - [1:32359:1] FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-12-12-Nuclear-EK-flash-exploit.swf
File size:  22,361 bytes
MD5 hash:  9b3ad66a2a61e8760602d98b537b7734
Detection ratio:  0 / 56
First submission:  2014-12-13 01:24:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/00730977f6a6c1e8a7221a11785e525cdc2a39638b869d77da9b828e4643f839/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-12-12-Nuclear-EK-silverlight-exploit.xap  (same as the one from 2014-12-10)
File size:  6,924 bytes
MD5 hash:  87d140b1b68cbe2b46a4a355fbd87a09
Detection ratio:  10 / 55
First submission:  2014-12-10 18:31:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a0b5876419025568915bfea24d22163169f4b3634935edafd998c26d57900055/analysis/

 

MALWARE PAYLOAD:

File name:  2014-12-12-Nuclear-EK-malware-payload.exe
File size:  230,400 bytes
MD5 hash:  bf230af91ac92924a745f42021abbba0
Detection ratio:  7 / 53
First submission:  2014-12-13 01:24:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/18cb84c0d9c87fa5ed74da826270bd416aa039795b731fc91e700b03b7738610/analysis/

 

SCREENSHOTS

Full view of the ransomware screen from the infected VM:

 

Click here to return to the main page.