Malware-Traffic-Analysis.net - 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92

2015-07-08 - BIZCN GATE ACTOR NUCLEAR EK ON 108.61.188.92

PCAP AND MALWARE:

ZIP of the traffic: 2015-07-08-BizCN-gate-actor-Nuclear-EK-both-pcaps.zip
PCAP of the traffic - second example: 2015-07-08-BizCN-gate-actor-Nuclear-EK-traffic-example-2-of-2.pcap
ZIP file of the malware (both examples): 2015-07-08-BizCN-gate-Nuclear-EK-malware.zip

NOTES:

Follow-up traffic & malware for an article I wrote at: https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
This BizCN gate actor Nuclear EK traffic moved from 107.191.63.163 (as seen in previous blog posts) to 108.61.188.92 (still a Choopa/Vultr IP address).

My previous blog posts tracking BizCN gate actor Nuclear EK:

2015-07-05 - BizCN gate actor using Nuclear EK (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)

2015-07-07 - BizCN gate actor Nuclear EK (EK on 107.191.63.163)

2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92 (EK changes IP)

TRAFFIC

ASSOCIATED DOMAINS - FIRST EXAMPLE

www.shootersforum.com - Compromised website
136.243.224.10 port 80 - spoeract.com - BizCN registered gate
108.61.188.92 port 80 - alefreed.ml Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - FIRST EXAMPLE

2015-07-08 18:43:05 UTC - www.shootersforum.com - GET /
2015-07-08 18:43:06 UTC - spoeract.com - GET /oqGrg/mIZhGrtN-jUKqpWMXRS/OL-_vjw_oYqJUs/N.js?
Wz-=0s1-&V-5rF-=b_c&YUBiugOj-=H29j&b7Fk--=f-3Y&vjMFdQ--=6m6y&WawhJ=b6S&jlk_hsqOa=2

NUCLEAR EK - FIRST EXAMPLE

2015-07-08 18:43:19 UTC - alefreed.ml - GET /Q08LCldMCEtTVV1WS1JXXRZdVQ.html
2015-07-08 18:43:19 UTC - alefreed.ml - GET /XE9CRUJIAARdRQlMCktTVV1WS1JXXRZdVUsFARYBCw4cCA8DFwYBCEQBDQQECgAAAA4LRV5cCg
2015-07-08 18:43:20 UTC - alefreed.ml - GET /X15eXERKQQ4BVkQBRQROWFRVX0VXXFweVFtODgAeCAULFwkHChkDCglMCAMBDwsICQ4LAEQFRVlYWlVBUl1OCA

ASSOCIATED DOMAINS - SECOND EXAMPLE

offbeathome.com - Compromised website
136.243.224.10 port 80 - tittiogg.com - BizCN registered gate
108.61.188.92 port 80 - alefreed.ml Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - SECOND EXAMPLE

2015-07-08 19:00:31 UTC - offbeathome.com - GET /2012/09/inexpensive-alternative-housing
2015-07-08 19:00:33 UTC - tittiogg.com - GET /S-LgqXhIJZ_M-iY_W/njw-VW-Pi/SGwl_sJjvy.js?
KU6hmi=McmN8w7V76-&EW=57855&ZY4=x005Zxbc-&v4xV0Fue=g3eaRd9

NUCLEAR EK - SECOND EXAMPLE

2015-07-08 19:00:42 UTC - alefreed.ml - GET /VVFdVkpMCEtTVV1WS1JXXRZdVQ.html
2015-07-08 19:00:43 UTC - alefreed.ml - GET /XE9CRVRWVlhARQlMCktTVV1WS1JXXRZdVUsACAoeCg8cCA4HFwYLAEQBDQQECgACCQMBRV5cCg
2015-07-08 19:00:43 UTC - alefreed.ml - GET /X15eXERcX1hdS0QBRQROWFRVX0VXXFweVFtOCwkCFwQKFwkGDhkDAAFMCAMBDwsICwcGCkQFRURTdHZDU0sD
2015-07-08 19:00:46 UTC - alefreed.ml - GET /X15eXERcX1hdS0QBRQROWFRVX0VXXFweVFtOCwkCFwQKFwkGDhkDAAFMCAMBDwsICwcGCkQHRURTdHZDU0sD

FINAL NOTES

Once again, here are the associated files:

ZIP of the traffic: 2015-07-08-BizCN-gate-actor-Nuclear-EK-both-pcaps.zip
ZIP file of the malware (both examples): 2015-07-08-BizCN-gate-Nuclear-EK-malware.zip

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.