2015-04-09 - NUCLEAR EK DELIVERS TROLDESH RANSOMWARE
ASSOCIATED FILES:
- ZIP of the pcap: 2015-04-09-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2015-04-09-Nuclear-EK-malware-and-artifacts.zip
NOTES:
- One of the ETPRO signatures indicates this is Win32/Troldesh.A ransomware.
- This one gives two email points of contact for you to email if you want to decrypt your files: deshifrator02@gmail.com or decoder1@india.com
Shown above: One of the text files with instructions to decrypt your files.
Shown above: The desktop background image telling you to look at the README.txt files.
CHAIN OF EVENTS
NUCLEAR EK FROM 108.61.188.200 PORT 80:
- 2015-04-09 18:07:19 UTC - ambasawild.ga - GET /VVgGCR4KB0wL.html
- 2015-04-09 18:07:19 UTC - ambasawild.ga - GET /BEFBRFZZAgFFC1MdC00JVgoNBgkLWVMJTQlbChsBDA1PUAoGFlAMBkxfVVM
- 2015-04-09 18:07:22 UTC - ambasawild.ga - GET /B1BdXR4MVAcIRVNTRQNEUwwHCA8JU1kLAURTAQceCAxVTwgCD0wKAQNFDB0Tf31TLVtSQEA
- 2015-04-09 18:07:25 UTC - ambasawild.ga - GET /B1BdXR4MVAcIRVNTRQNEUwwHCA8JU1kLAURTAQceCAxVTwgCD0wKAQNFDB0ib1d9FkQH
POST-INFECTION TRAFFIC:
- 2015-04-09 18:07:28 UTC - 216.58.216.205 port 443 - HTTPS traffic to: accounts.google.com
- 2015-04-09 18:07:29 UTC - 173.194.43.74 port 443 - HTTPS traffic to: oauth.googleusercontent.com
- 2015-04-09 18:07:31 UTC - 76.73.17.194 port 9090 - attempted TCP connection
- 2015-04-09 18:07:33 UTC - 86.59.21.38 port 443 - HTTPS traffic to: www.cfqi5ert5sm47tt.com
- 2015-04-09 18:07:35 UTC - 178.254.8.187 port 9001 - TLS traffic to: www.nvn3eha6ysrkyk4ijcbjc7dr.com
- 2015-04-09 18:07:35 UTC - 46.252.26.2 port 49991 - TLS traffic to: www.npfghz.com
- 2015-04-09 18:07:35 UTC - 91.220.163.62 port 443 - HTTPS traffic to: www.w3mioaou3hxlhkksv7kz6n.com
- 2015-04-09 18:07:56 UTC - 77.72.80.9 port 80 - myip.ru - GET /
- 2015-04-09 18:13:56 UTC - 91.220.163.62 port 443 - HTTPS traffic to: www.juhpjw4c55bzvinu.com
SNORT EVENTS
Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY, ET INFO, or ET TOR events):
- 198.61.188.200 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
- 198.61.188.200 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
- 198.61.188.200 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2 (sid:2020311)
- 77.72.80.9 port 80 - ETPRO TROJAN Win32/Troldesh.A Ransomware External IP Check (sid:2810365)
Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.2 on Debian 7:
- No significant signature hits noted at this time.
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2015-04-09-Nuclear-EK-flash-exploit.swf
File size: 15.1 KB ( 15463 bytes )
MD5 hash: aac06dd10cfe2f04867e674cf8485686
Detection ratio: 0 / 57
First submission: 2015-04-09 19:29:26 UTC
VirusTotal link: https://www.virustotal.com/en/file/6048f8c0e63658005ece9165a5ed1ade3fd8ac64f96b4409f1330cb7aebfd53c/analysis/
MALWARE PAYLOAD:
File name: 2015-04-09-Nuclear-EK-malware-payload.exe
File size: 908.0 KB ( 929792 bytes )
MD5 hash: 5a4834df63b62f4ca8de004fbbd23ae6
Detection ratio: 8 / 57
First submission: 2015-04-09 19:29:39 UTC
VirusTotal link: https://www.virustotal.com/en/file/4329a3730c04c6c43b8261e246d861379e75ae01f8a997ad1df845a36a191d32/analysis/
Malwr link: https://malwr.com/analysis/YjQ4NjVlNWNkYjljNDAxYWJlYzQwMDk3YzA2ZmU1N2Y/
SCREENSHOTS FROM THE TRAFFIC
HTTP requests and TLS traffic noted in Wireshark:
Nuclear EK landing page:
Nuclear EK sending a Flash exploit:
Nuclear EK sending an obfuscated malware payload:
Post-infection traffic that generated the ETPRO TROJAN alert for Win32/Troldesh.A Ransomware External IP Check:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2015-04-09-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2015-04-09-Nuclear-EK-malware-and-artifacts.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.