2015-05-14 - Nuclear EK DELIVERS RANSOMWARE

PCAP AND MALWARE:

• ZIP file of the traffic:  2015-05-14-Nuclear-EK-delivers-ransomware.pcap.zip
• ZIP file of the malware:  2015-05-14-Nuclear-EK-and-ransomware-artifacts.zip

 

NOTES:

• More ransomware from Nuclear EK...
• The pop-up window earlier today by ransomware from Angler EK had aa 88 in the upper left corner.  This one from Nuclear had aa 87 (see below).
• Some callback domains used by this ransomware didn't resolve in DNS, so I didn't get the usual follow-up traffic.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 5.101.118.148 port 80 - irwozpmg.myftp.biz - Nuclear EK
• 54.210.80.108 port 80 - ipinfo.io - IP check by the malware   [not inherently malicious]
• 192.251.226.206 port 443 - iq3ahijcfeont3xx.tor2web.blutmagie.de - post-infection traffic
• no IP address - 24u4jf7s4regu6hn.fenaow48fn42.com - post-infection domain that didn't resolve in DNS
• no IP address - 24u4jf7s4regu6hn.sm4i8smr3f43.com - post-infection domain that didn't resolve in DNS

 

NUCLEAR EK:

• 2015-05-14 18:04:07 UTC - irwozpmg.myftp.biz - GET /wordpress/?bf7N&utm_source=le
• 2015-05-14 18:04:10 UTC - irwozpmg.myftp.biz - GET /F1UCX0NQH1BJXEcSDBtFWFJLDhhTQUVLAQhP.html
• 2015-05-14 18:04:11 UTC - irwozpmg.myftp.biz - GET /BhlFSUFRVAtDAElUH1BJXEcSDBtFWFJLDhhTQUVLAQhPSQNTTVANAhtTV08BAklUV1IEAwdTVVQFSVMJUg
• 2015-05-14 18:04:12 UTC - irwozpmg.myftp.biz - GET /BQhZUEkRV1ZfQwAZUh0ESVwXFA5PRVgCTQxMU0EVTQNcT0lTVU8EDQJLVVUbAQIZUlUGBANXVVcABUlQ
  HxtBcno-FQ

 

POST-INFECTION TRAFFIC:

• 2015-05-14 18:04:15 UTC - ipinfo.io - GET /ip
• 2015-05-14 18:04:15 UTC - start DNS queries for: 24u4jf7s4regu6hn.fenaow48fn42.com - Response: Server failure
• 2015-05-14 18:04:15 UTC - start DNS queries for: 24u4jf7s4regu6hn.sm4i8smr3f43.com - Response: Server failure
• 2015-05-14 18:04:16 UTC - 192.251.226.206 port 443 - iq3ahijcfeont3xx.tor2web.blutmagie.de - HTTPS traffic starts

 

PRELIMINARY MALWARE ANALYSIS

NUCLEAR EK FLASH EXPLOIT:

File name:  2015-05-14-Nuclear-EK-flash-exploit.swf
File size:  18.5 KB ( 18895 bytes )
MD5 hash:  94e60bcae544717cd530b20c644a9d56
Detection ratio:  0 / 57
First submission:  2015-05-13 18:57:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/aeec9303bb0f3ba9b8d05259efc0d61e5ac0ce45555a8f468ad1ce597d3debe5/analysis/

 

RANSOMWARE:

File name:  C:\Users\username\AppData\Local\skhwyva.exe
File size:  506.0 KB ( 518144 bytes )
MD5 hash:  58e1e0b122490dd5bf4a81776772b33c
Detection ratio:  0 / 55
First submission:  2015-05-14 18:45:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8ce346a46314e8d741b20bb8a716590d5c8bc49febe7d91d3bf0e5289e43cdc4/analysis/
Malwr link:  https://malwr.com/analysis/ZmQ2Yjk4ZGVhZTRlNGMzOWE3OThkY2QzZmZlNWRlYzc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/8ce346a46314e8d741b20bb8a716590d5c8bc49febe7d91d3bf0e5289e43cdc4?environmentId=1

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the associated malware:

• ZIP file of the traffic:  2015-05-14-Nuclear-EK-delivers-ransomware.pcap.zip
• ZIP file of the malware:  2015-05-14-Nuclear-EK-and-ransomware-artifacts.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.