2015-09-15 - NUCLEAR EK FROM 162.247.14.136 SENDS TESLACRYPT 2.0
PCAP AND MALWARE:
- ZIP of the PCAP: 2015-09-15-Nuclear-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
- ZIP file of the malware: 2015-09-15-Nuclear-EK-sends-TeslaCrypt-2.0-artifacts.zip
NOTES:
- More information on TeslaCrypt 2.0 can be found at: https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/
TRAFFIC
ASSOCIATED DOMAINS:
- 162.247.14.136 port 80 - zaprolikilavandu.tk - Nuclear EE
- myexternalip.com - IP address check by the malware
- 79.96.20.98 port 80 - majowy.info - TeslaCrypt 2.0 callback traffic
NUCLEAR EK:
- 2015-09-15 02:31:58 UTC - zaprolikilavandu.tk - GET /search?q=cXw9SR1JeU&XQ5=dhYdR&T8m=gg.&N7Fc=3827ff87b&BhHBTll=e&9Jp=fV&
QKEr=8f95074&UMnR=blRRhFcXVpb&DEPauUE=aWF1UUxtPV1leBh8ATU
- 2015-09-15 02:32:00 UTC - zaprolikilavandu.tk - GET /test?7xLW=61c72fb72b&J87=elIHBQECDlcAAAtMUA8A&8Nwx=dEeBFUdAAIBS&
KEl7VF=aVEtASgVZXwNMBR8CA09KVxNBXl9ZXQ&W9w6=cbSlYdBw&O4ipy=9618066&QWkmA=bpfUEVRWAdGH0d
- 2015-09-15 02:32:01 UTC - zaprolikilavandu.tk - POST /document.shtml?AyTBzf=dcDB1tPAg..&2p3=cQIEAlEBCQ&K5KZg9V=39c55f1f&
IKqkqt=bAFEdAwUeB1ICT&VMMNWk=0142839&GyUVanN=aVVtvXBBPV1leBh9JUENCWQ9aWlpcVxVSX1dFGBdYTQYe
- 2015-09-15 02:32:02 UTC - zaprolikilavandu.tk - GET /cart?4MmuIh=dFEFHwIBB&X9Ff6=589d6524&OfBr0l0=aV1pcUx9VW10ASlBPAAFMTAJDQ1xcX&
UCc=94a563&FbAUh=cEXR8GHwUCG&FGEaoV2=ex8CBQcCBFsHAgIISlRPWlBHYTZ-Ykl8fx8C&Bv1G=bwhaXVJGVw1XRB1
POST-INFECTION TRAFFIC:
- 2015-09-15 02:32:10 UTC - myexternalip.com - GET /raw
- 2015-09-15 02:32:11 UTC - majowy.info - GET /wp-content/plugins/wp-handy-lightbox/misc.php?98C347241FB030F610988E328A0E8D25C31B455C0CDEC46BDFA05C
2660ABA0C9E9F708C6FA779143C53429A5A5F1A0892DDC315088D858E0AF0C5A002FB401188F68B670C2516C83383AB439E58965604815644F8083424A5B81256
CB6F600EA29B72DE917AA508934B15A6A9A4E4D9A6FBDAF7586667EED6D3C0FAA848F5F0DFE954E81062213172F454830AD1BBC2A4B2CB83E389C19F312F737
1C1CAA33B06F3042CB20E44797D684C696B019456536A439ECB368A08852ECE209AD759609BF3086DBE9FEDA8E5A3A62DBF6121FA6AAC66D31092EA928EADF
7BD4DC55C86076DBE57142B134AA36FB236E85037DA439E88770A0CBC4F4C2A8C6F5B25C19EBAC64192CF2A91ABF64F72440EEFDB504D618C6C94120607771
CDDB87EB5002ED7541DBBB2AB924140FF33E79BC73F91C0875DE9BA7F1B9E79D27A38BA2DF8B9957D3B98015DF944377A095DC869480E368D44694351808388
DFA74547C21D3D0
FINAL NOTES
Once again, here are the associated files:
- ZIP of the PCAP: 2015-09-15-Nuclear-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
- ZIP file of the malware: 2015-09-15-Nuclear-EK-sends-TeslaCrypt-2.0-artifacts.zip
NOTE: All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.