2015-08-14 - NUCLEAR EK FROM 95.85.21.30 - BACUHYTGBNVEDHHKO.ML

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-08-14-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-08-14-Nuclear-EK-artifacts.zip

 

NOTES:

• Traffic patterns indicate this Nuclear EK is by the same actor I blogged about 2 days ago on 2015-08-12.
• Saw malicious script in page from the compromised website pointing to both Angler and Nuclear EK.  Only got Nuclear EK this time.

 

TRAFFIC

ASSOCIATED DOMAINS:

• eggheadzcafe.com - Compromised website
• 193.104.41.182 port 80 - mobi-auto.ru - Redirect (gate)
• 95.85.21.30 port 80 - bacuhytgbnvedhhko.ml - Nuclear EK

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-08-14 14:02:13 UTC - eggheadzcafe.com - GET /
• 2015-08-14 14:02:18 UTC - mobi-auto.ru - GET /7/

 

NUCLEAR EK:

• 2015-08-14 14:02:18 UTC - bacuhytgbnvedhhko.ml - GET /search?q=cW0&QH7=aXQwBAxofVxoODgofAB4HBwEWXBsR&uhkk=d&aLDv6=
  bAQANQgcBDgoI&vq9G=7cb54581&HZ5qi7M=646ac642&ZnrQcWp=ewICg

• 2015-08-14 14:02:18 UTC - bacuhytgbnvedhhko.ml - GET /build?8JeuK=gVVofUg5W&Ild=cANQgcBDgo&iKvPJVi=27f466&3TIu4g=fFNRVVtWAlJc&
  cepPSyz=aURoVGgEbXwoNGlYfAB4&72jF=eV1ZWS&NVWGEiT=18f0fd&X2pN=bHBwEWXBsRAQ&Lk5O=dIW0wICh5VAkxUXlVNAlpL

• 2015-08-14 14:02:20 UTC - bacuhytgbnvedhhko.ml - GET /order?AxQT8pl=993632fb5f&ERi9d=dXAR5UUlFaAVRVX1FbSFUZPA&wS4tf7S=
  bQocEgUBWhQAAg&5cRu=eolQhUUEDcfBQ&Ifn=coLXw1LCw4fAlRLV1pUGlRdSFN&iNd=59ca6da623&bVCx0=aUgsJAx4ATAkNDh5XSFYZBAMAQ

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-08-14-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:   2015-08-14-Nuclear-EK-artifacts.zip

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.