Malware-Traffic-Analysis.net - 2015-10-05 - Nuclear EK from

2015-10-05 - NUCLEAR EK FROM 108.61.189.157 - 2WHNXTJ0AX1NUDV.SPOOLHOSTZ.ML

ASSOCIATED FILES:

ZIP of PCAP(s): 2015-10-05-Nuclear-EK-traffic.pcap.zip
ZIP of the malware: 2015-10-05-Nuclear-EK-malware.zip

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

randomremodeling.com - Compromised website
187.45.195.139 port 80 - alphameioambiente.com.br - Gate (redirect)
108.61.189.157 port 80 - 2whnxtj0ax1nudv.spoolhostz.ml - Nuclear EK
193.105.240.62 port 80 - film24hd.us - Post-infection traffic caused by the malware

INFECTION TRAFFIC:

2015-10-05 16:21:01 UTC - randomremodeling.com - GET /

2015-10-05 16:21:02 UTC - alphameioambiente.com.br - GET /templates/beez_20/dcxjtpq4.php?id=1210128

2015-10-05 16:21:04 UTC - 2whnxtj0ax1nudv.spoolhostz.ml - GET /url?sa=i&rct=x&q=&esrc=u&source=web&cd=3&ved=bHChQGQBdFFA&url=https%3A%2F%2F
db84dd6a.com&MlCV=7a27d2ad6&ZmG=aDQ8GU0FKC1kHTEUEGFMVXldOEAtSV0E&Aw1sRi=44218b2&NX61rR6=c4NWlFZF&Fwb3=dxUYGFRa

2015-10-05 16:21:05 UTC - 2whnxtj0ax1nudv.spoolhostz.ml - GET /file?RBFWy3h=cWBg8EVFdWSl9aVw..&Dj3Ou=aARkSSlYOARseBEUHGFMVXldOEAtSV0EHC
hQGQBdFFA4NWlFZFxUYGFRa&PddA174=4c8182db1&S6FLGHa=92427b62d&Q5X=bGFRMAAsYUU9QBUUHUFV

2015-10-05 16:21:06 UTC - 2whnxtj0ax1nudv.spoolhostz.ml - GET /favicon.ico

2015-10-05 16:21:06 UTC - 2whnxtj0ax1nudv.spoolhostz.ml - POST /test?17g3G=bDABdMRUlZCw0KWUpCHk&35h2J7r=c8PWkUDSldQGAwYVlIe&Wpy=
aAAk9XEpKC1kHTEUEEwkMTk1cVAAaB1d&SuPV=04de428e25&EOm6=fAk&H4zvWY=e0CUFFUB&421Ojc=dBw&M2HH=54a23ee7&O2J=gAUB1Q

2015-10-05 16:21:08 UTC - 2whnxtj0ax1nudv.spoolhostz.ml - GET /test?YY7=bTBdbCB1XGA8ESlRMBApKVVVWAgkAVlFU&CE9ET=586857f93d&7jp=
cAkUBGCoO&Lv2=aAggOU0VZXAQYSgtKVR1QQVFYHBUIBlhOVQ8XUk8YFxENWVVeCxIW&81FGAYb=523c63451&A4cRc=dbHVQGFA.

2015-10-05 16:22:39 UTC - film24hd.us - POST /filmy_2013/viewlist.php

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAP(s): 2015-10-05-Nuclear-EK-traffic.pcap.zip
ZIP of the malware: 2015-10-05-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.