2015-10-18 - BIZCN GATE NUCLEAR EK FROM 5.175.148.193 SENDS CRYPTOWALL 3.0

ASSOCIATED FILES:

• ZIP file of the PCAP:  2015-10-18-BizCN-gate-actor-Nuclear-EK-traffic.zip   653.3 kB (653,252 bytes)
• ZIP file of the malware:  2015-10-18-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip   356.7 kB (356,681 bytes)

 

NOTES:

• Bitcoin address I got for this CryptoWall 3.0 sample's ransom payment was:  178ddNoCFnznwqGbNdMs7ngursdf8rLFno

Shown above:  User checking one of the decryption instructions web pages.

 

CHAIN OF EVENTS

Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

• forums.macnn.com - Compromised website
• 136.243.224.10 port 80 - kroentro.com - BizCN-registered gate
• 5.175.148.193 port 80 - jostuwatko.xyz - Nuclear EK

• ip-addr.es - CryptoWall 3.0 check for IP address
• 64.99.80.30 port 80 - homopop.com - CryptoWall 3.0 post-infection traffic
• 104.28.12.104 port 80 - javlab.org - CryptoWall 3.0 post-infection traffic
• 173.254.28.37 port 80 - goatsinacoat.com - CryptoWall 3.0 post-infection traffic
• 93.93.200.150 port 80 - eliosbatterie.com - CryptoWall 3.0 post-infection traffic
• 192.185.114.225 port 80 - dorothygilstrap.com - CryptoWall 3.0 post-infection traffic
• 192.185.193.221 port 80 - hanecaklaw.com - CryptoWall 3.0 post-infection traffic
• 192.185.41.182 port 80 - floworldonline.com - CryptoWall 3.0 post-infection traffic
• 199.83.129.236 port 80 - contrasttraining.com - CryptoWall 3.0 post-infection traffic
• 108.167.182.248 port 80 - colinplatt.com - CryptoWall 3.0 post-infection traffic

• ayh2m57ruxjtwyd5.speralreaopio.com - Domain for one of the decrypt instruction pages - didn't resolve in DNS
• 95.128.181.13 port 80 - ayh2m57ruxjtwyd5.vremlreafpa.com - Domain for one of the decrypt instruction pages
• 95.128.181.13 port 80 - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - Domain for one of the decrypt instruction pages
• 109.70.26.37 port 80 - ayh2m57ruxjtwyd5.askhoreasption.com - Domain for one of the decrypt instruction pages - went to Russian site saying domain was unavailable

 

COMRPOMISED WEBSITE AND REDIRECT/GATE:

Shown above:  Injected script in page from the compromised website.

 

• 2015-10-18 01:40:15 UTC - forums.macnn.com - GET /
• 2015-10-18 01:40:16 UTC - kroentro.com - GET /h/J/kwPJWK-RxqHL-XhtzjN.php?pjwkv7l=4Nd1-7V43&vLD7qC=333mL2u1d&grC-k=_2q6Z5n3la_e&fOXN=m7ebPf27&
  c=eK4Q

 

NUCLEAR EK:

• 2015-10-18 01:40:17 UTC - jostuwatko.xyz - GET /search?oe=utf-8&ei=DV5UVE1LDFxaAwJVGAFMW1pEEEVHUEFcCx5ISE8.&q=vzjgamr+dtsj+rd+na&qws_rd=fr&ie=utf-8

• 2015-10-18 01:40:18 UTC - jostuwatko.xyz - GET /document.html?miwr=dAwEGU0xWXQY.&zlijpt=cEHBBsGXQBMAAEDUQED&muwz=36670b3&jwh=
  aAUhATV1bDgIHU0k&jdhg=9046d82ca3&jes=bGGAEHTV9YF0RFRlRDD18eSUxNGAYFHwQPSg

• 2015-10-18 01:40:19 UTC - jostuwatko.xyz - GET /build.aspx?bkw=19c8fa0&vpqzd=fmR-WXx4GAE.&blqql=bdC0NEREJWEFtfH01OHkwGBBsGXB4B&lnp=
  aAllcVElfCFoCBldLVUwBBkl&bfd=cBgAZVQkATQQDUA&arevgdc=6a76c47b&ilvg=elWJ&jmfse=dUBAgcDVQdMBk

 

POST-INFECTION TRAFFIC:

• 2015-10-18 01:40:36 UTC - ip-addr.es - GET /
• 2015-10-18 01:40:36 UTC - homopop.com - POST /1.php?p=9h7sfkr25eyfg
• 2015-10-18 01:40:37 UTC - javlab.org - POST /1.php?b=9h7sfkr25eyfg
• 2015-10-18 01:40:39 UTC - homopop.com - POST /1.php?z=4wzlsduwyfzed6
• 2015-10-18 01:40:40 UTC - javlab.org - POST /1.php?u=4wzlsduwyfzed6
• 2015-10-18 01:40:43 UTC - homopop.com - POST /1.php?k=78ysreh4qb8
• 2015-10-18 01:40:43 UTC - javlab.org - POST /1.php?f=78ysreh4qb8
• 2015-10-18 01:40:46 UTC - goatsinacoat.com - POST /1.php?r=78ysreh4qb8
• 2015-10-18 01:40:46 UTC - eliosbatterie.com - POST /1.php?v=78ysreh4qb8
• 2015-10-18 01:40:47 UTC - dorothygilstrap.com - POST /4.php?x=78ysreh4qb8
• 2015-10-18 01:40:47 UTC - dorothygilstrap.com - GET /cgi-sys/suspendedpage.cgi?x=78ysreh4qb8
• 2015-10-18 01:40:47 UTC - hanecaklaw.com - POST /4.php?a=78ysreh4qb8
• 2015-10-18 01:40:50 UTC - floworldonline.com - POST /4.php?q=78ysreh4qb8
• 2015-10-18 01:40:52 UTC - contrasttraining.com - POST /4.php?i=78ysreh4qb8
• 2015-10-18 01:40:53 UTC - colinplatt.com - POST /5.php?k=78ysreh4qb8
• 2015-10-18 01:40:57 UTC - homopop.com - POST /1.php?c=vob9xevd95ej
• 2015-10-18 01:40:57 UTC - javlab.org - POST /1.php?j=vob9xevd95ej

 

USER CHECKING THE DECRYPTION INSTRUCTION WEB PAGES:

• 2015-10-18 01:41:30 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /[info removed]
• 2015-10-18 01:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/style.css
• 2015-10-18 01:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/flags/us.png
• 2015-10-18 01:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/flags/fr.png
• 2015-10-18 01:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/flags/es.png
• 2015-10-18 01:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/flags/it.png
• 2015-10-18 01:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/flags/de.png
• 2015-10-18 01:41:32 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /picture.php?k=18l8xrs&c25e12beca24c3ed1a166239086a988b
• 2015-10-18 01:41:33 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/lt.png
• 2015-10-18 01:41:33 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/rt.png
• 2015-10-18 01:41:33 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/lb.png
• 2015-10-18 01:41:33 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/rb.png
• 2015-10-18 01:41:35 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /favicon.ico
• 2015-10-18 01:41:40 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - POST /[info removed]
• 2015-10-18 01:41:42 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/bitcoin.png
• 2015-10-18 01:41:42 UTC - ayh2m57ruxjtwyd5.vremlreafpa.com - GET /img/button_pay.png
• 2015-10-18 01:56:56 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /[info removed]
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/style.css
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/flags/us.png
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/flags/es.png
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/flags/fr.png
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/flags/de.png
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/flags/it.png
• 2015-10-18 01:56:58 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /picture.php?k=18l8xrs&796bb64f09a6497bfafb463b4cd0a362
• 2015-10-18 01:56:59 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/lt.png
• 2015-10-18 01:56:59 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/rt.png
• 2015-10-18 01:57:00 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/lb.png
• 2015-10-18 01:57:00 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/rb.png
• 2015-10-18 01:57:02 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /favicon.ico
• 2015-10-18 01:57:08 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - POST /[info removed]
• 2015-10-18 01:57:10 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/bitcoin.png
• 2015-10-18 01:57:10 UTC - ayh2m57ruxjtwyd5.wolfwallsreaetpay.com - GET /img/button_pay.png
• 2015-10-18 01:57:19 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /[info removed]
• 2015-10-18 01:57:19 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /img/logo_rc.png
• 2015-10-18 01:57:19 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /img/roundb.png
• 2015-10-18 01:57:19 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /img/bg.jpg
• 2015-10-18 01:57:19 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /img/gline.png
• 2015-10-18 01:57:19 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /img/arrow.png
• 2015-10-18 01:57:21 UTC - ayh2m57ruxjtwyd5.askhoreasption.com - GET /favicon.ico

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-18-BizCN-gate-actor-Nuclear-EK-flash-exploit.swf
File size:  59.7 KB ( 61116 bytes )
MD5 hash:  95278a4debde40fea520a1895d200f8f
SHA1 hash:  e0c2d4d4663bd8aaf05518004a947596e4806af8
SHA256 hash:  d8883383dcbc71f75ab855f84d292697474b8bbebdaee109698e0d68f4a4194b
Detection ratio:  4 / 56
First submission:  2015-10-20 15:29:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d8883383dcbc71f75ab855f84d292697474b8bbebdaee109698e0d68f4a4194b/analysis/

 

MALWARE PAYLOAD:

File name:  2015-10-18-BizCN-gate-actor-Nuclear-EK-payload-CryptoWall-3.0.exe
File size:  151.5 KB ( 155146 bytes )
MD5 hash:  2d814564ff4574bd423496bdd6105c24
SHA1 hash:  235d0914151a37b46178279f4793fc52acad2cfb
SHA256 hash:  ac24889f515b094fdf81f3d0144fb97357484a5b01bd65ac3e4b68c34b7c28c2
Detection ratio:  30 / 56
First submission:  2015-10-18 03:29:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ac24889f515b094fdf81f3d0144fb97357484a5b01bd65ac3e4b68c34b7c28c2/analysis/
Malwr link:  https://malwr.com/analysis/NWMwMzk4MjU3MjdjNDllMjlkNzNjZmIwZTE3NmNiZTU/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/ac24889f515b094fdf81f3d0144fb97357484a5b01bd65ac3e4b68c34b7c28c2?environmentId=1

 

FINAL NOTES

Once again, here are the associated files:

• ZIP file of the PCAP:  2015-10-18-BizCN-gate-actor-Nuclear-EK-traffic.zip   653.3 kB (653,252 bytes)
• ZIP file of the malware:  2015-10-18-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip   356.7 kB (356,681 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.