2015-09-16 - NUCLEAR EK FROM 162.247.14.156 SENDS TESLACRYPT 2.0

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-09-16-Nuclear-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
• ZIP file of the malware:   2015-09-16-Nuclear-EK-sends-TeslaCrypt-2.0-artifacts.zip

 

NOTES:

• More information on TeslaCrypt 2.0 can be found at: 

• 2015-07-14 - Securelist Blog - TeslaCrypt 2.0 disguised as CryptoWall (Author: Fedor Sinitsyn) - link
• 2015-09-16 - iSIGHT Partners Blog - TeslaCrypt 2.0: Cyber Crime Malware Behavior, Capabilities and Communications (Author: Richard Hummel) - link

 

TRAFFIC

ASSOCIATED DOMAINS:

• 162.247.14.156 port 80 - rajonokolon.ga - Nuclear EK
• myexternalip.com - Address check by the TeslaCrypt 2.0 ransomware
• 79.96.20.98 port 80 - majowy.info - Callback traffic from the TeslaCrypt 2.0 ransomware

 

NUCLEAR EK:

• 2015-09-16 13:38:32 UTC - rajonokolon.ga GET /search?q=dFoKW1sWBFQ.&8oJ=bFEEVQMW1t&00aoav=cXC&GbFOs=aXVtcBk0aRVhCE1peSA&
  5Fb4Lo4=5072942&KYxW=473f90c8

• 2015-09-16 13:38:33 UTC - rajonokolon.ga GET /file?1x5Sd=ceAxsOVRtXBA&YpK=bAMOTQR&Br7=9f0875f7d&YFX6=aUU1IH0QLTkVXW0lSSAQNH0cHXl
  pWDF4JWFpWTVIHS&WCyMPs=4336b55f50&PEvF9xd=dBEUgFSBgEJUwJXBkleDwY.

• 2015-09-16 13:38:34 UTC - rajonokolon.ga POST /test?XGGozp=aUF1nCUYaRVhCE1peSEdZ&RCe=5be878ab&PtWFD9x=bCVoIW15XD1oIGlJZHwNQGgQAV&
  X7UQ=gUUlS&TvHR=eIJ&5HoMnN=6f6b67&LMr=f&WqeXiQ=cBtQAhsJUwAaBQE&CHk8n=dMUQFXBA

• 2015-09-16 13:38:35 UTC - rajonokolon.ga POST /order?Plj=cXBABEUgFSBgEJ&Zc8m=aUF1nBVkHR11EElgcRFoAH0cHXlpWDF4JWFpWTVIHSAMOTQRe&
  YVN=399627e&Vl2sDT=dUwJXBkkM&EldNI=bAxsOVRt&B5D=14bf0875f

• 2015-09-16 13:38:37 UTC - rajonokolon.ga GET /build?N6yiM1=68d292f&ZEPj2t=dSAAcMUgVRBQdEV&IjwBJ=cXDRsBVUkOVRtXDAIWVQNIBQUNHwR&
  JvpO=bAEkJVkkUVV9XDVoNW1l&DxcZ8z5=gFdBHwQ.&GRS=eEksfVh&Ie2e=aUlxUBkkXWU9IDA0a&AoeOeyR=fuAVwlf&HgadRTX=168ae3

 

POST-INFECTION TRAFFIC :

• 2015-09-16 13:38:44 UTC - myexternalip.com - GET /raw

• 2015-09-16 13:38:45 UTC - majowy.info - GET /wp-content/plugins/wp-handy-lightbox/misc.php?95AD3C2553770CA90107D167D448FB2A632AD5312656
  D1CB8801FCA83723F70E0F1DCA033E153F8C5919F2EAECE25043B096D0E3F0819246D95A7D470909F9D5E6030B6A29735990DDEA09FB68F9302C
  8E5A60BBEE6CBE5A6754E98D3B87DD31FC0A000170C36E5EE3B07C50B53CB7A63CC79174A5C15B7C53BCF28DFC37CC8D67C0D4809E4F4E3966F
  73178599058330B59894AFD32D254F7BD0D98D0F3A493B70011D38B7FB178DF32DD3C672F4BB7DF05DFC6825357C34B1EF86085BE492DE6816B4
  C3B8685F714ED33EB68F4CF86DADFD2C854625BF2A3C16D0569AEE32B94823584C5A3B1AA5F49280B77A8077C2A3FB91883AD66625FA7FCC3E0
  D6ACFD006F45FE837FB9C368384B598F0D7AC4577E2B83D6E8F479172AA186A8B1F5DAE5AA86EB3A356BDF8CE63AA61F1183CB2609FE633E194B
  C80C79D56F3F9E085A5E417C3874B66013F580F5D9B9824AF7572C1F3DB171A4D9B46646B76B70E1E7

• 2015-09-16 13:39:05 UTC - majowy.info - GET /wp-content/plugins/wp-handy-lightbox/misc.php?708A7086F6E5A644B7326A22488FF4A14E697D58A9770F
  5F0D2330809D678AE7EC7563DC8A50A4A8A0FFC017C13AFCD1CC4F7E58C6FDD44D2E0ACEDC567AFB331A4D6A98D68095B5521ABE186839056188
  4203FC4A02A4E007780CD909470297AAF4F8DBC7DADCB2F0A65D98CD8871A6BBAAFE77CDFE72C14BB7B5D2E7306B34FED878681954C42B4BE3E5
  23FD1CE7FF59555F1542DFBC5A64786B7D7ABDE44EF6FB84BC90AE7389E948F9B2F1AAACDD1323E2737A25AF2157A67A4C6254C9B085CDC2E3D9
  86D5914948F161709FEFB43F9829D8C320E3B707637F8DFF1EC9C6105A40D662E41BB9FD07A73F9264B0F78BA2529689A8BA3F42A900B3B5BE172D
  4D2AA4E3D529C24D24C161DA5B01D551B5CB9082A7D85C34C35E2B9F8593F8DA7B42E25FAADC052D64158078D0180D96BB48C35D5C4B737CEBAF
  8ABF4C302020923231362AD3FA59E6A5BF546617BA2AE335C17137E95CCBE2B47FCE5D7BF53E

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-09-16-Nuclear-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
• ZIP file of the malware:   2015-09-16-Nuclear-EK-sends-TeslaCrypt-2.0-artifacts.zip

NOTE:  All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.