2015-04-03 - NUCLEAR EK DROPS TESLACRYPT MALWARE

ASSOCIATED FILES:

• ZIP - pcap of the infection traffic:  2015-04-03-Nuclear-EK-traffic.pcap.zip
• ZIP - pcap from malwr.com analysis of the payload:  2015-04-03-malwr.com-analysis-of-payload.pcap.zip
• ZIP - associated malware:  2015-04-03-Nuclear-EK-malware.zip

 

NOTES:

• Today, Nuclear EK used a serveftp.com domain, which is normally associated with Fiesta EK.
• Those Nuclear EK URLs keep getting longer.
• Today's payload is Teslacrypt ransomware, and the bitcoin address for the ransom payment is: 18Vfp5yaeqJcrQ5dGqYbR8qvfnAznw1oVv

 

CHAIN OF EVENTS

DATE AND TIME OFF THE ACTIVITY:

• Start date/time of the pcap:  2015-04-03 15:06:03 UTC
• End date/time of the pcap:  2015-04-03 15:10:18 UTC

 

ASSOCIATED DOMAINS:

• 69.64.33.21 - pxymthldw.serveftp.com - Nuclear EK
• 54.209.66.221 - ipinfo.io - IP check (not inherently malicious)
• 104.28.10.192 - 7tno4hib47vlep5o.63ghdye17.com - Initial callback by the Teslacrypt ransomweare
• 104.28.10.192 - 34r6hq26q2h4jkzj.63ghdye17.com - Domain used when calling for the decrypt instructions

 

NUCLEAR EK:

• pxymthldw.serveftp.com - GET /E1JSDkMHGgJISUhNC0VcVVRDSEJRS0ZRAEVEF1NbCw.html
• pxymthldw.serveftp.com - GET /undefined
• pxymthldw.serveftp.com - GET /A0lERUVXAAZHCkwHGgJISUhNC0VcVVRDSEJRS0ZRAEVEF1NbC00CDx4FXgYaDgQaVQhICAQGXgEDCgUCVU1SVQI
• pxymthldw.serveftp.com - GET /AFhYXExBBVcDSgNIVU0HRUBMH1xAUVxQER9HXEJCA1dASR5XCVxIDwYaVwkDFwcASAINRQEAVAkEDgMBUAJIDExNLF9fSg
• pxymthldw.serveftp.com - GET /A0lERUVXAAZHCkwHGgJISUhNC0VcVVRDSEJRS0ZRAEVEF1NbC00CDx4FXgYaDgQaVQhICAQGXgEDCgUCVU1HUFxCA0M
• pxymthldw.serveftp.com - GET /AFhYXExBBVcDSgNIVU0HRUBMH1xAUVxQER9HXEJCA1dASR5XCVxIDwYaVwkDFwcASAINRQEAVAkEDgMBUAJIAUxNLF9fSg

 

POST-INFECTION TRAFFIC:

• ipinfo.io - GET /ip
• 7tno4hib47vlep5o.63ghdye17.com - GET /state1.php?U3ViamVjdD1QaW5nJmtleT1DMjc5MUV[long string of characters]
• 7tno4hib47vlep5o.63ghdye17.com - GET /state1.php?U3ViamVjdD1DcnlwdGVkJmtleT1DMjc[long string of characters]
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /?enc=18Vfp5yaeqJcrQ5dGqYbR8qvfnAznw1oVv
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /check.php
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /style.css
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /img/logo_white.png
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /img/curr.svg
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /img/decrypt.svg
• 34r6hq26q2h4jkzj.63ghdye17.com - GET /favicon.ico

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 69.64.33.21 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
• 69.64.33.21 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2 (sid:2020311)
• 69.64.33.21 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
• 69.64.33.21 port 80 - ET CURRENT_EVENTS Nuclear EK SilverLight Exploit (sid:2019917)
• 69.64.33.21 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SilverLight M2 (sid:2020317)
• DNS query for 7tno4hib47vlep5o.63ghdye17.com - ETPRO TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o) (sid:2809702)
• 104.28.10.192 port 80 - ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1 (sid:2020717)
• 104.28.10.192 port 80 - ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2 (sid:2020718)
• 104.28.10.192 port 80 - ETPRO TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon Response (sid:2810074)
• DNS query for 34r6hq26q2h4jkzj.63ghdye17.com - ETPRO TROJAN Win32/Teslacrypt Ransomware .onion Proxy Domain (34r6hq26q2h4jkzj) (sid:2810075)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.2 on Debian 7:

• 69.64.33.21 port 80 - [1:33981:2] EXPLOIT-KIT Nuclear exploit kit flash file download
• 104.28.10.192 port 80 - [1:33893:1] MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-04-03-Nuclear-EK-flash-exploit.swf
File size:  8.7 KB ( 8930 bytes )
MD5 hash:  b7ed8635d35845d880d5e98c1568115e
Detection ratio:  0 / 42
First submission:  2015-04-03 16:17:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/10bb822d37c8b5f6d31b97ece2d409a961c8ab411e5ea56d9d9f020feae04fc3/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-04-03-Nuclear-EK-silverlight-exploit.xap
File size:  17.5 KB ( 17940 bytes )
MD5 hash:  2f6b618d8784229ff5911ece667d9320
Detection ratio:  0 / 42
First submission:  2015-04-03 16:17:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7196c54642c29163efcda569789858b9a894df33c24b1a634d836dc3a748ba82/analysis/

 

MALWARE PAYLOAD:

File name:  2015-04-03-Nuclear-EK-malware-payload.exe
File size:  279.0 KB ( 285696 bytes )
MD5 hash:  f3b12a197d732cda29d6d9e698ea58bf
Detection ratio:  2 / 57
First submission:  2015-04-03 16:17:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4/analysis/
Malwr link:  https://malwr.com/analysis/YWRiZjUyOGU1ZTRmNDA1M2FiNDU2YWYyOTBhYzE3ZGE/

 

SCREENSHOTS FROM THE INFECTED HOST

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - pcap of the infection traffic:  2015-04-03-Nuclear-EK-traffic.pcap.zip
• ZIP - pcap from malwr.com analysis of the payload:  2015-04-03-malwr.com-analysis-of-payload.pcap.zip
• ZIP - associated malware:  2015-04-03-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.