2015-10-16 - ANGLER AND 052F GATE NUCLEAR EK FROM THE SAME COMPROMISED WEBSITE

ASSOCIATED FILES:

• ZIP file of the PCAPs:  2015-10-16-Angler-and-052F-Nuclear-EK-traffic.zip   2.5 MB (2,607,622 bytes)
• ZIP file of the malware:  2015-10-16-Angler-and-052F-Nuclear-EK-malware-and-artifacts.zip   1.2 MB (1,199,137 bytes)

 

NOTES:

• The compromised website had at least two different sets of injected script, one leading to Angler EK and the other leading to the 052F gate.
• In the first infection, I only saw the 052F gate Nuclear EK send CryptoWall 3.0 but no Angler.
• In the second infection, the 052F gate didn't work, and I got Angler EK sending Bedep instead.
• For more info on the 052F gate, see:  https://isc.sans.edu/forums/diary/Exploit+kit+roundup+Less+Angler+more+Nuclear/20255/

• Both times had the same two types of injected script in the same page from the comrpomised website.

      Shown above:  Flow chart for the infection chains.

 

INJECTED SCRIPT FROM THE COMPROMISED WEBSITE

Shown above:  Start of the injected script leading to Angler EK.

 

Shown above:  Start of the injected script leading to the 052F gate.

 

052F GATE EXAMPLES

Shown above:  If the 052F gate works...

 

Shown above:  If the 052F gate doesn't work...

 

CHAIN OF EVENTS - 052F GATE NUCLEAR EK SENDS CRYPTOWALL 3.0

Shown above:  Wireshark display for the pcap, filtered on HTTP requests.

 

ASSOCIATED DOMAINS:

• www.herbstfestrosenheim.it - Compromised website
• 45.63.49.27 port 80 - scykamurchik.tk - 052F gate
• 108.61.219.237 port 80 - trycbnyetyebhetert.tk - Nuclear EK
• ip-addr.es - IP address check by the CryptoWall 3.0 sample
• 108.175.149.16 port 80 - unimedicaven.com - CryptoWall 3.0 post-infection callback
• 184.168.152.2 port 80 - solatect.com - CryptoWall 3.0 post-infection callback
• 37.140.192.28 port 80 - master-krepezha.ru - CryptoWall 3.0 post-infection callback
• 103.21.59.24 port 80 - visionbahrain.com - CryptoWall 3.0 post-infection callback
• 200.98.197.57 port 80 - devolus.com.br - CryptoWall 3.0 post-infection callback
• 62.210.16.61 port 80 - patricebaudin.com - CryptoWall 3.0 post-infection callback
• 166.62.88.7 port 80 - almartranslation.com - CryptoWall 3.0 post-infection callback
• 77.243.131.106 port 80 - mmcomposite.dk - CryptoWall 3.0 post-infection callback
• 200.98.190.7 port 80 - comprarbbom.com.br - CryptoWall 3.0 post-infection callback
• 64.50.163.44 port 80 - carolinaforestchildcare.com - CryptoWall 3.0 post-infection callback
• 89.238.188.91 port 80 - intouchaccess.com - CryptoWall 3.0 post-infection callback
• 92.240.253.14 port 80 - sport-mix.sk - CryptoWall 3.0 post-infection callback
• 64.50.163.44 port 80 - wswellproducts.com - CryptoWall 3.0 post-infection callback
• 185.57.172.135 port 80 - quali-man.com - CryptoWall 3.0 post-infection callback
• 108.175.149.16 port 80 - unimedicaven.com - CryptoWall 3.0 post-infection callback
• 184.168.152.2 port 80 - solatect.com - CryptoWall 3.0 post-infection callback

 

MALWARE PAYLOAD - CRYPTOWALL 3.0:

• File size:  205.3 KB ( 210,242 bytes )
• MD5 hash:  19aede0ea4d45e08ee8ea4991f7e8715
• SHA1 hash:  73735bb9fee8c992564a0ce7a238673b2b7e95fe
• SHA256 hash:  85eeccb49ff1e4b90f21fffb75aa5aa9c57b1e4231e1427a6e4bdfc05e7e99fc
• Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

 

CHAIN OF EVENTS - ANGLER EK SENDS BEDEP

Shown above:  Wireshark display for the pcap, filtered on HTTP requests.

 

ASSOCIATED DOMAINS:

• www.herbstfestrosenheim.it - Compromised website
• 45.63.49.27 port 80 - scykamurchik.tk - 052F gate (returned 302 found to ya.ru)
• 173.45.91.246 port 80 - interiectasque.caterkcmetro.com - Angler EK
• 23.35.120.11 port 80 - www.ecb.europa.eu - connectivity check by the malware
• 195.22.26.253 port 80 - bmrapfyrpbranye8d.com - Post-infection traffic
• 195.22.28.222 port 80 - sso.anbtr.com - Post-infection traffic
• 195.22.26.252 port 80 - xsso.bmrapfyrpbranye8d.com - Post-infection traffic
• 95.211.205.228 port 80 - xobjzmhopjbboqkmc.com - Post-infection traffic
• 91.200.14.95 port 80 - ninthclub.com - Post-infection traffic
• 176.99.11.154 port 80 - 176.99.11.154 - Post-infection traffic
• 85.25.41.103 port 80 - bnud7nkk.com - GET /ads.php?sid=1957
• 37.130.226.158 port 80 - dv8flxaq.com - GET /ads.php?sid=1957
• 185.82.216.239 port 80 - hdu23arq02.com - GET /ads.php?sid=1957
• 185.82.216.238 port 80 - hc556c.com - GET /ads.php?sid=1957
• 104.193.252.233 port 80 - kx54jvcsk.com - GET /ads.php?sid=1957

 

FILES RETRIEVED FROM THE INFECTED HOST:

• C:\Users\[username]\AppData\Local\Temp\{90CA37F1-CFF0-4A1A-9574-B1E935453D92}\api-ms-win-system-rasser-l1-1-0.dll   (Virus Total link)

• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\tapiui.dll   (Virus Total link)

• C:\Users\[username]\AppData\Local\Gobut\EupeJliyx
• C:\Users\[username]\AppData\Local\Gobut\IoroZnif
• C:\Users\[username]\AppData\Local\Gobut\Qexot
• C:\Users\[username]\AppData\Local\Gobut\Qobinf
• C:\Users\[username]\AppData\Local\Gobut\WayoYras.dll   (Virus Total link)
• C:\Users\[username]\AppData\Local\Gobut\YohiKwal

 

ONE OF THE REGISTRY KEYS UPDATED ON THE INFECTED HOST:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• Value name:  Worog
• Value type:  REG_SZ
• Value data:  regsvr32.exe "C:\Users\[username]\AppData\Local\Gobut\WayoYras.dll"

 

FINAL NOTES

Once again, here are the associated files:

• ZIP file of the PCAPs:  2015-10-16-Angler-and-052F-Nuclear-EK-traffic.zip   2.5 MB (2,607,622 bytes)
• ZIP file of the malware:  2015-10-16-Angler-and-052F-Nuclear-EK-malware-and-artifacts.zip   1.2 MB (1,199,137 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.