2015-08-14 - BIZCN GATE ACTOR NUCLEAR EK FROM 89.238.181.74 - FREE3DPRINT.CF

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-08-14-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-08-14-BizCN-gate-actor-Nuclear-EK-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was: 14ebF4oEvoqPtCFDASf8ASHv3jGtr41DGP (same as last 2 times since 2015-07-17).

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114.126
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120.33
• 2015-07-30 - BizCN gate actor Nuclear EK on 46.101.18.39
• 2015-08-14 - BizCN gate actor Nuclear E on 89.238.181.74  (this blog post)

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.rawartists.org - Compromised website
• 136.243.25.245 port 80 - clockziniher.com - BizCN-registered gate
• 89.238.181.74 port 80 - free3dprint.cf - Nuclear EK
• 184.168.205.62 port 80 - bryanfross.com - CryptoWall 3.0 post-infection traffic
• 89.108.88.49 port 80 - 6i3cb6owitcouepv.speralreaopio.com - User checking the decrypt instructions
• 89.108.88.49 port 80 - 6i3cb6owitcouepv.vremlreafpa.com - User checking the decrypt instructions
• 6i3cb6owitcouepv.wolfwallsreaetpay.com - Domain for decrypt instructions that did not resolve
• 6i3cb6owitcouepv.askhoreasption.com - Domain for decrypt instructions that did not resolve

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-08-14 16:48:46 UTC - www.rawartists.org - GET /
• 2015-08-14 16:48:49 UTC - clockziniher.com - GET /UGyJO-Tx-/N_IMpQ_WhkO_q-U-mzi/olQ-XVnvkm_iJgNLOr-qwst/sP.js?1PdCgrkG=caKL6Y&
  EH1p-e=yfof9&WpI=dgG72M&-_=-7f9L&XcEBPh=ft15

 

NUCLEAR EK:

• 2015-08-14 16:48:57 UTC - free3dprint.cf - GET /search?q=38d50eae&tqOE=dHRRNcXBFNVgc&AUJ=cUxNQV1Y&KGSep3o=bdPTlQf&CFqu=19f8e0&
  bgm0=aWwsHUBlJQwBRVF

• 2015-08-14 16:48:58 UTC - free3dprint.cf - GET /build?yGFIk=cFxNB1MATlRXBlgA&lqbmHX=dBV&HHNg=338dd01&cF6=bQG1AHH&4pcS=8782ba522&
  Au3f3=eVaBlZJVAlQ&JVL3q=aVx0TSRBQAARVTx0ETlMfUxNQV1YHRRNcXBFNVgdJA1V

• 2015-08-14 16:49:01 UTC - free3dprint.cf - GET /order?UiqvCZr=6fb216bd&JT9S5i=dfQQ&seMMpfO=aVAwPUB1EV1cCAxtJAxlVSQdHVwBQURFHWwsX&
  OC3=e9_eDUHQwRsVxlS&jLDe=bGwJTTlRTBk8EAEtaG1MHBxlSAVI&44JG3b4=78b234d271&SQggza=cMB1JTDFICTlI

 

POST-INFECTION TRAFFIC CAUSED BY THE CRYPTOWALL 3.0 PAYLOAD:

• 2015-08-14 16:49:50 UTC - ip-addr.es - GET /
• 2015-08-14 16:49:52 UTC - bryanfross.com - POST /wp-content/themes/twentyeleven/ccccc.php?b=6r92nrnhmf0jru9
• 2015-08-14 16:49:55 UTC - bryanfross.com - POST /wp-content/themes/twentyeleven/ccccc.php?y=73p2o0g9vop52f
• 2015-08-14 16:49:58 UTC - bryanfross.com - POST /wp-content/themes/twentyeleven/ccccc.php?p=sqxpas25f5kz
• 2015-08-14 16:50:07 UTC - bryanfross.com - POST /wp-content/themes/twentyeleven/ccccc.php?k=zh0j135jvzx3o

 

THE USER CLICKING ON LINKS AND BRINGING UP THE DECRYPT PAGES:

• 2015-08-14 16:50:26 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /[info removed]
• 2015-08-14 16:50:28 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/style.css
• 2015-08-14 16:50:28 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/flags/us.png
• 2015-08-14 16:50:29 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/flags/fr.png
• 2015-08-14 16:50:29 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/flags/it.png
• 2015-08-14 16:50:29 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/flags/es.png
• 2015-08-14 16:50:29 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/flags/de.png
• 2015-08-14 16:50:29 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /picture.php?k=[info removed]&8a98cc2395101e1406fa176841ad5598
• 2015-08-14 16:50:31 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/lt.png
• 2015-08-14 16:50:32 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/rb.png
• 2015-08-14 16:50:32 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/rt.png
• 2015-08-14 16:50:32 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/lb.png
• 2015-08-14 16:50:35 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /favicon.ico
• 2015-08-14 16:50:39 UTC - 6i3cb6owitcouepv.speralreaopio.com - POST /[info removed]
• 2015-08-14 16:50:42 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/flags/au.png
• 2015-08-14 16:50:42 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/bitcoin.png
• 2015-08-14 16:50:42 UTC - 6i3cb6owitcouepv.speralreaopio.com - GET /img/button_pay.png
• 2015-08-14 16:50:55 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /[info removed]
• 2015-08-14 16:50:57 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/style.css
• 2015-08-14 16:50:57 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/flags/us.png
• 2015-08-14 16:50:58 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/flags/it.png
• 2015-08-14 16:50:58 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/flags/es.png
• 2015-08-14 16:50:58 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/flags/fr.png
• 2015-08-14 16:50:58 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/flags/de.png
• 2015-08-14 16:50:58 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /picture.php?k=[info removed]&a67c690209e174c1c709a9b2f50e564b
• 2015-08-14 16:51:00 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/lt.png
• 2015-08-14 16:51:00 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/rt.png
• 2015-08-14 16:51:00 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/lb.png
• 2015-08-14 16:51:01 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/rb.png
• 2015-08-14 16:51:05 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /favicon.ico
• 2015-08-14 16:51:10 UTC - 6i3cb6owitcouepv.vremlreafpa.com - POST /[info removed]
• 2015-08-14 16:51:13 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/flags/au.png
• 2015-08-14 16:51:13 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/bitcoin.png
• 2015-08-14 16:51:13 UTC - 6i3cb6owitcouepv.vremlreafpa.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-08-14-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-08-14-BizCN-gate-actor-Nuclear-EK-artifacts.zip

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.