2015-09-29 - NUCLEAR EK FROM 162.247.14.204 - KOLENKOVOLODKI.CF

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-09-29-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-09-29-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• Two payloads from Nuclear EK.  One was TelsaCrypt 2.0 and the other was something else (maybe Necurs).
• There was some click-fraud and non-DNS UDP traffic I didn't include in the write-up, so please review the pcap for details not shown below.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 188.128.190.83 port 80 - roninsnowboards.com - Compromised website
• 162.247.14.190 port 80 - yidjskdfjskdfsdf.tk - Redirect
• 162.247.14.204 port 80 - kolenkovolodki.cf - Nuclear EK
• See below for some of hte post-infection traffic

 

INFECTION TRAFFIC:

• 2015-09-29 15:36:47 UTC - roninsnowboards.com - GET /

• 2015-09-29 15:36:49 UTC - yidjskdfjskdfsdf.tk - GET /052F

• 2015-09-29 15:36:52 UTC - kolenkovolodki.cf - GET /search?q=3dbbe50e&W4t1O=cUDFRa&TwPvo=bBAxEV0xaClldDVteE1p&SqSxfsb=fbBQ&4SKQkiN=
  g..&MlBRoZN=e&V4hWTK=aCl5VAE1EAkRX&TIgR=dDBt&BHJ8W=38cc0721

• 2015-09-29 15:36:54 kolenkovolodki.cf - GET /document.shtml?Yyqa4=cUkJVwQCU&LjG=aBkhBGVRMBVEIGQFEUgVN&Hg24a=dAEJ&D62Yr7T=
  bDlpUBl5aCkNXD19VDlwWAFZNVgIWVwYfVAQOTQEJU&9WSpwgX=1f01f82c&5H79jT=eUwECGVNUUA..&BIwW1=871316ae05

• 2015-09-29 15:36:55 UTC - kolenkovolodki.cf - POST /file?FVH3=aB1huD0ZEAkRXBAxECF9dAFtTDEZeCVpcCFkfBlNEUAcfUQMWUg&SYqpA8=
  bEHSwQAV0w&76o4=0db0c48&AuI=fLHwQ.&AxYu6Po=eQQ&XP4=dAV&Tw8m=90f815bba&NAdB3c=cAUQELVgQ

• 2015-09-29 15:36:55 UTC - kolenkovolodki.cf - POST /document.shtml?SyF3=2cb01ca&IGb7D0=bVDlwWAFZNVg&CwwkT=2b144671&UU6vXi=
  dQCUAEJUwECGQE.&Xq5=cIWVwYfVAQOTQEJUUkJVw&H1XfG1=aB1huA1lZEFhNBEFeAglNDlpUBl5aCkNXD19

• 2015-09-29 15:36:59 UTC - kolenkovolodki.cf - GET /order?QO7b=bNXGQYPTQQHSwQJVR4AXQFEUgQFVgAMU&9xRFqVA=aBVldAElZF1ZQXEkMH
  wIBGV5XD1VfDlpODFxeAV5RTV&ZPa3P=116202551&CyiH=cgAA&OPrZE=gwD&OQtV1t=dVkkPH&ZHJf=fG0&Qh6wH27=81843062b&GRh=e1R1KEFu

• 2015-09-29 15:37:00 UTC - kolenkovolodki.cf - GET /cart?XCkwAz=aBVldAElZF1ZQXEkMHwEEGV5XD1VfDlpODF&Nxapn=bxeAV5RTVNXGQYPTQQH
  SwQJVR4AXQFEUg&M07cW=12d859&BHIw=59023e7&GW35D02=cQFVgAMUgAAVkkPH1drAXtOJFt0GQQ.

 

POST-INFECTION TRAFFIC:

• 2015-09-29 15:37:06 UTC - myexternalip.com - GET /raw
• 2015-09-29 15:37:07 UTC - 103.21.59.28 - hotelshyamregency.com - GET /wp-includes/js/thickbox/misc.php?E3A52264CF4279[very long string]
• 2015-09-29 15:37:31 UTC - 103.21.59.28 - hotelshyamregency.com - GET /wp-includes/js/thickbox/misc.php?572A56481F78D9[very long string]
• 2015-09-29 15:37:47 UTC - 143.95.87.76 - motherbeing-news.com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:37:49 UTC - 192.186.255.0 - mindfucktoys.com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:37:51 UTC - 192.185.16.111 - mommycums.com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:37:58 UTC - 160.153.94.33 - musictocheer.com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:00 UTC - 141.101.3.36 - 731pro.pw - POST /gate777.php
• 2015-09-29 15:38:02 UTC - 143.95.87.76 - motherbeing-news.com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:38:02 UTC - 192.95.31.85 - syedali-hajveri.com - GET /crypt914.exe
• 2015-09-29 15:38:04 UTC - 192.186.255.0 - mindfucktoys.com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:38:06 UTC - 192.185.16.111 - mommycums.com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:38:06 UTC - 178.159.112.110 - 731pro.pw - POST /gate777.php
• 2015-09-29 15:38:12 UTC - 160.153.94.33 - musictocheer.com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:18 UTC - 159.224.247.95 - 731pro.pw - POST /gate777.php
• 2015-09-29 15:38:18 UTC - 143.95.87.76 - motherbeing-news.com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:38:20 UTC - 213.180.204.3 - ya.ru - GET /
• 2015-09-29 15:38:20 UTC - 192.186.255.0 - mindfucktoys.com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:38:21 UTC - 192.185.16.111 - mommycums.com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:38:22 UTC - 143.95.87.76 - motherbeing-news.com - POST /wp-content/plugins/youtube-sidebar-widget/system3.php
• 2015-09-29 15:38:26 UTC - 192.186.255.0 - mindfucktoys.com - POST /wp-content/plugins/admin-post-navigation/system3.php
• 2015-09-29 15:38:28 UTC - 192.185.16.111 - mommycums.com - POST /wp-content/themes/hatch/system3.php
• 2015-09-29 15:38:29 UTC - 160.153.94.33 - musictocheer.com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:31 UTC - 141.101.3.36 - 731pro.pw - POST /gate777.php
• 2015-09-29 15:38:34 UTC - 160.153.94.33 - musictocheer.com - POST /wp-content/themes/twentyfourteen/system3.php
• 2015-09-29 15:38:35 UTC - 46.119.105.213 - 731pro.pw - POST /gate777.php
• 2015-09-29 15:38:47 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /[[[[redacted]]]]
• 2015-09-29 15:38:48 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/style.css
• 2015-09-29 15:38:48 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/flags/us.png
• 2015-09-29 15:38:48 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/flags/de.png
• 2015-09-29 15:38:48 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/flags/es.png
• 2015-09-29 15:38:48 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/flags/fr.png
• 2015-09-29 15:38:48 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/flags/it.png
• 2015-09-29 15:38:49 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /captcha.php
• 2015-09-29 15:38:49 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/lb.png
• 2015-09-29 15:38:49 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/rb.png
• 2015-09-29 15:38:50 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/lt.png
• 2015-09-29 15:38:50 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/rt.png
• 2015-09-29 15:38:51 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /favicon.ico
• 2015-09-29 15:38:54 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - POST /[[[[redacted]]]]
• 2015-09-29 15:38:55 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /service.php
• 2015-09-29 15:38:57 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/bitcoin.png
• 2015-09-29 15:38:57 UTC - 85.204.74.10 - djru34dnd.lgk749kch8ej.com - GET /img/button_pay.png
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /[[[[redacted]]]]
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/style.css
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/flags/us.png
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/flags/fr.png
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/flags/it.png
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/flags/es.png
• 2015-09-29 15:39:07 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/flags/de.png
• 2015-09-29 15:39:08 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /captcha.php
• 2015-09-29 15:39:08 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/lt.png
• 2015-09-29 15:39:08 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/rt.png
• 2015-09-29 15:39:08 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/lb.png
• 2015-09-29 15:39:08 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/rb.png
• 2015-09-29 15:39:09 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /favicon.ico
• 2015-09-29 15:39:12 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - POST /[[[[redacted]]]]
• 2015-09-29 15:39:13 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /service.php
• 2015-09-29 15:39:13 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/bitcoin.png
• 2015-09-29 15:39:13 UTC - 82.211.30.250 - ks53kc7s.td45hdrtabc23.com - GET /img/button_pay.png

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD 1 OF 2:

File name:  2015-09-29-Nuclear-EK-payload-1-of-2.exe
File size:  111.5 KB ( 114176 bytes )
MD5 hash:  7c9bc9e7a4162ee0c175ef16ffc6b7f4
SHA1 hash:  23afa1bff785e346c892a1306cb3ea17190012ca
SHA256 hash:  50b1d95d1ceaaa23055a7ca8ef2c509fdea590d55ebf24aecb99340e2146ab04
Detection ratio:  18 / 56
First submission:  2015-09-29 16:36:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/50b1d95d1ceaaa23055a7ca8ef2c509fdea590d55ebf24aecb99340e2146ab04/analysis/
Malwr link:  https://malwr.com/analysis/MTJiYjhlZmM0ODFiNDA0ZWFmOTZlNDU0MDhkMjE1Y2Q/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/50b1d95d1ceaaa23055a7ca8ef2c509fdea590d55ebf24aecb99340e2146ab04?environmentId=4

 

MALWARE PAYLOAD 2 OF 2 (TESLACRYPT 2.0):

File name:  2015-09-29-Nuclear-EK-payload-2-of-2.exe
File size:  377.9 KB ( 386963 bytes )
MD5 hash:  91f696e9dea1f3ff5cacb892eb517790
SHA1 hash:  eed903d8c7f669b43eecee685c0f12827a4b93f0
SHA256 hash:  4130a04843e19a995a8a3ab0b5219cf84bd6fdde3e7e816522ddf99ac3621681
Detection ratio:  7 / 55
First submission:  2015-09-29 14:15:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4130a04843e19a995a8a3ab0b5219cf84bd6fdde3e7e816522ddf99ac3621681/analysis/
Malwr link:  https://malwr.com/analysis/ZmVmM2QyNDAwYmU5NDRhOTg0NTQwNDFhZjM0YjhhNjk/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/4130a04843e19a995a8a3ab0b5219cf84bd6fdde3e7e816522ddf99ac3621681?environmentId=4

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP of the PCAP:  2015-09-29-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-09-29-Nuclear-EK-malware-and-artifacts.zip

NOTE:  All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.