2015-07-05 - BIZCN GATE ACTOR USING NUCLEAR EK - TRAFFIC AND MALWARE

PCAPS AND MALWARE:

• ZIP file for all the traffic examples:  2015-07-03-thru-2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic.zip (8,629,269 bytes)
• ZIP file of the associated malware:  2015-07-03-thru-2015-07-05-BizCN-gate-actor-Nuclear-EK-malware.zip (1,316,015 bytes)

• Individual pcap files within the above traffic archive:

• 2015-07-03-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap   (1,058,928 bytes)
• 2015-07-03-BizCN-gate-actor-Nuclear-EK-traffic-example-2.pcap   (606,443 bytes)
• 2015-07-03-BizCN-gate-actor-Nuclear-EK-traffic-example-3.pcap   (1,030,374 bytes)
• 2015-07-04-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap   (632,325 bytes)
• 2015-07-04-BizCN-gate-actor-Nuclear-EK-traffic-example-2.pcap   (4,949,332 bytes)
• 2015-07-04-BizCN-gate-actor-Nuclear-EK-traffic-example-3.pcap   (1,082,113 bytes)
• 2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap   (626,075 bytes)
• 2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-2.pcap   (1,095,644 bytes)
• 2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-3.pcap   (579,164 bytes)
• 2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic-example-4.pcap   (585,983 bytes)

 

NOTES:

• Above has the traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
• The traffic listed below shows the compromised website followed by the BizCN gate, then Nuclear exploit kit (EK).
• Nuclear EK traffic from 2015-07-02 through 2015-07-05 is on 107.191.63.163.

 

UPDATE (2015-07-06):

• 2015-06-15-and-2015-07-02-BizCN-gate-actor-Nuclear-EK-malware.zip (426,997 bytes)

 

TRAFFIC

2015-06-15-BizCN-gate-actor-Nuclear-EK-traffic-example-1.pcap

185.92.223.3 port 80 - infeedworld.eu - Nuclear EK on 2015-06-15

• 15:52:57 UTC - www.visajourney.com - GET /
• 15:52:58 UTC - 136.243.224.10 - varadank.org GET /wn-jM-OYNsIolmZuTQg-p/giu-Gwn_hY.php?
  zd-Q-=ei3y48a&_z=csce36&T=3-aZ0_71&eLp9HP4K=PeH2H7_O64&f8XU=fb964&PNHUT-=1b8r21

• 15:53:07 UTC - infeedworld.eu - GET /GAkAEksFHVEIB1JRBU8JE1tQT10T.html
• 15:53:08 UTC - infeedworld.eu - GET /BEAWHU4FB0saUEsHHVEIB1JRBU8JE1tQT10THQECTwleVhkDUhZSUUsFVQtSUg8HVABRHVFYUA
• 15:53:08 UTC - infeedworld.eu - GET /B1EKBEtNUF4VHQZIUkQPD1FRBFwRDkVYBRYDFEsCVxZXWQAaVgtIVQdIUAxVVQQMUg1eVksBHX0zJXRnHQk

 

185.92.223.3 port 80 - infeedworld.eu - Nuclear EK on 2015-06-15

• 16:38:29 UTC - rugerforum.net - GET /
• 16:38:31 UTC - 148.251.187.233 - sulecass.com - GET /j_UTJLkusg-nRH/vKsuY_oxkU-GyRPw_-JOqh/wQGzTkH-p/UXnKoVT-MS-uP.js?
  N4h-=0Y3p&Z3-9_uDp=L13&pTD=fc&bL6_PnOJ=9a&b=f1&G67u8IQH=0uc

• 16:38:38 UTC - infeedworld.eu - GET /EVMEBERBHQkaCFlSBF0CFlhGDVxIBEI.html
• 16:38:39 UTC - infeedworld.eu - GET /BEAWHUdfA10VFEsFHQsaCFlSBF0CFlhGDVxIBEJIVBZQUxkNTwpWUUsFVQtSUg8CUgleHVFYUA
• 16:38:39 UTC - infeedworld.eu - GET /B1EKBEtECloDEkJIUERVHV5aB10DBUBbE1QCT1JBHQ1IVwUaWBZUUQdIUAxVVQQMVwtXWUsBHW8kJ3lfNXULBmdIUA
• 16:38:42 UTC - infeedworld.eu - GET /B1EKBEtECloDEkJIUERVHV5aB10DBUBbE1QCT1JBHQ1IVwUaWBZUUQdIUAxVVQQMVwtXWUsDHW8kJ3lfNXULBmdIUA

 

185.92.223.3 port 80 - infeedworld.eu - Nuclear EK on 2015-06-15

• 16:49:44 UTC - www.longrangehunting.com - GET /
• 16:49:45 UTC - 136.243.224.10 - kroentro.org - GET /Qg--tPYxIsT/-y-ZwrQTUxHRXs_O-juo/VLZIWmhKlxS.php?
  s=-d1hGb38fn2bN&Vlh8UC=e0f-dyta-5_-49&PM1-=ne

• 16:50:07 UTC - infeedworld.eu - GET /GEsBE0FIUEQPD1FRBFwRDkVYBRYDFA.html
• 16:50:07 UTC - infeedworld.eu - GET /BEAWHU5HBkoQHQZIUkQPD1FRBFwRDkVYBRYDFEsDWRZXUw4aUA5eTwYEVURXVQQAUgBRUQcDHV4KUA
• 16:50:08 UTC - infeedworld.eu - GET /B1EKBEtNEl8UF0sFHQsaCFlSBF0CFlhGDVxIBEJIVgBIUAUNTwlQWRkFUQwaUAMHVQteVgcEVkRTHVttAko2DFpGHQk

 

107.191.63.163 port 80 - cloud.blifoud.in - Nuclear EK

• 20:32:36 UTC - www.visajourney.com - GET /
• 20:32:37 UTC - 136.243.25.242 - margaritailles.com - GET /uLx_rgS-/jItMzpuTnq-JUN-i_mr.js?
  V4gfZ-OQ=774l4_dI&CQ=daM4j1uJbm&bGrhR=m5-a0f_6q&dgFB=X1a8_2jhc&Vlqen=bb3M2qf&nj_=408fPf_

• 20:32:46 UTC - cloud.blifoud.in - GET /W0IYV14dB00BXVYUUh8AXVAHWUQGH1AP.html
• 20:32:46 UTC - cloud.blifoud.in - GET /U0kSTVQSTFcFTQgdBU0BXVYUUh8AXVAHWUQGH1APSgNTAhdUGAdXHwhQAE1TBQpUDgdbAA9XSlcOAA
• 20:32:47 UTC - cloud.blifoud.in - GET /UFgOVEUMRUsEVkVQSgIeUlUOQ1VMU1UIUF4XVRcIWE1QAApPAx9UBBdQBwceAA1SAwlUCAhXAE1VTWgmRV4td1IXd2YeAA

 

107.191.63.163 port 80 - cloud.blifoud.in - Nuclear EK

• 20:46:19 UTC - rugerforum.net - GET /HTTP/1.1
• 20:46:20 UTC - 136.243.25.241 - sansaiaarias.com - GET /WZN-L-z/V-Tmg_QYxN-O-Kl/NsxYyR-IQLtV-rgnjh-_-UOo/rLuM_NtgGlk/_rR_shxjLMIvqmPOQTtGY.php?
  -F3gE-oUk=3f&_YV=7jd&-eunN=_bo4&xmt2f=bdq&n8ahckts6=mcs8&wV91Cefqn=8kf&BD=6c&-=41&vayJi2osS=-1

• 20:46:27 UTC - cloud.blifoud.in - GET /TkQGUlwYSgAeUlUOQ1VMU1UIUF4XVRcIWA.html
• 20:46:28 UTC - cloud.blifoud.in - GET /U0kSTUEUUlIHSEVQSgIeUlUOQ1VMU1UIUF4XVRcIWE1TAwFPBAFWHwhYAB9XAEVQAgJXCQ9YDwlVTV8NBw
• 20:46:30 UTC - cloud.blifoud.in - GET /UFgOVEUZQ1UBVEAdB01RTVoNWUQGH1sNX1cNRF1PX18eAAtZGANSBRdQDwdMBAgdBwVRBAFXDwhaBkVWSmYrc0MP
  UFYJTQg

 

• 2015-07-03 22:33:56 UTC - forums.pinstack.com - GET /
• 2015-07-03 22:33:57 UTC - 136.243.227.9 - woodicani.pw - GET /q_uRkrI-UXs-VYQP_/zjNmkORiYMGVQ-.js?
  qZnczx=_bt5WW3b&_=c3R-d6&Rxil8aUDW=5_dbev&8torYfT=2eS4Qc&hp=185n2&f67g-Ial1=e5_g1_6

• 2015-07-03 22:34:38 UTC - gastone.cf - GET /BEcMTVVLAlMVRQtZABwFVw.html
• 2015-07-03 22:34:38 UTC - gastone.cf - GET /AEoWTQVCD05XTVdLAlMVRQtZABwFVxgFVAFIBEoAVRxXBFdLVAZVBF0BVwpRCRhRCQM
• 2015-07-03 22:34:39 UTC - gastone.cf - GET /A1sKVBhWEFgaABgEGVUHQhBYC1dIUgJLVwNVH1EZUgJIAFEEGQNSAlEOUwBeBlxLUE4KViFtLEoteCdOGQM
• 2015-07-03 22:34:42 UTC - gastone.cf - GET /A1sKVBhWEFgaABgEGVUHQhBYC1dIUgJLVwNVH1EZUgJIAFEEGQNSAlEOUwBeBlxLUk4KViFtLEoteCdOGQM

 

• 2015-07-03 22:57:07 UTC - www.gtrlife.com - GET /
• 2015-07-03 22:57:09 UTC - 136.243.25.241 - alekaasandmeens.com - GET /V_OhYJ-_KxrMXsRZgUi-zWn/-xhow_-NYUn-PMrLy/-sTzu_-.js?
  hJwg=7r9&8bSOWMz-y=Gf4&u=eIa&v0wxZ=2V1&SuoV21Z=nb4-&MINlxtU=wap2&Y_toz7C=0N6q&-lex-f=12&MkVHnT5-W=Q1-4p

• 2015-07-03 22:57:14 UTC - altone.ml - GET /TwcADB5USlQJEA0LUxsICA.html
• 2015-07-03 22:57:15 UTC - altone.ml - GET /U00VGBtXU10ZVR5WSlQJEA0LUxsICB5WBxtWSlNQABtdUh5UAgZQXVRRBAZRGAQJBw
• 2015-07-03 22:57:16 UTC - altone.ml - GET /UFwJAR4cBFANGFMZBUkECBYKWFBLCQ4ZBQRLV0xUAwNLXFQZBwFWUVtTAgdWUB5SSnkOHAgTflEcAh5U

 

• 2015-07-03 23:57:29 UTC - rugerforum.net - GET /
• 2015-07-03 23:57:30 UTC - 136.243.25.241 - sansaiaarias.com - GET /SJx_Rpi-Vg-qMm-OK-vzIHLsX/K_M_NV/qtLJlWguN_zH-S_/xgqM_novZR_Q.js?
  GqpC=0a91ef013f9&n=0TfedTdRe-54V8ud3&kje03ymu1=fX

• 2015-07-03 23:57:53 UTC - altone.ml - GET /U1wHFB5USlQJEA0LUxsICA.html
• 2015-07-03 23:57:54 UTC - altone.ml - GET /U00VGAcMVEUZVR5WSlQJEA0LUxsICB5UBgxLVVRcGARSSlNSD0lUUFFQDwNSXFVRSlMJVQ
• 2015-07-03 23:57:55 UTC - altone.ml - GET /UFwJAR4AX1cVGFMZBUkECBYKWFBLCQ4ZBwVcSlNTDxtUU0xUAQwZVVZWAwxTU1pSAklQGAcJWGE9PgcMSgQ
• 2015-07-03 23:57:57 UTC - altone.ml - GET /UFwJAR4AX1cVGFMZBUkECBYKWFBLCQ4ZBwVcSlNTDxtUU0xUAQwZVVZWAwxTU1pSAklSGAcJWGE9PgcMSgQ

 

• 2015-07-04 13:32:53 UTC - www.visajourney.com - GET /
• 2015-07-04 13:32:55 UTC - 136.243.25.242 - margaritailles.com - GET /YskhVUK-/J_Ol_-j-/v_iy-N.php?
  ME=93&PYlKOX=bOe&o=a9&-=c_6&q-3Y=dh5&9avl-Dkm=eX3&noeO-09-d=62-&u3=e9&x=8S0

• 2015-07-04 13:33:04 UTC - centfou.gq - GET /V1QCD14GTlJOAVAKRgVdFxsDQw.html
• 2015-07-04 13:33:05 UTC - centfou.gq - GET /VxtCHlBTAg5ZAElVTlBOAVAKRgVdFxsDQx8HTARUAE0DVQRKA1BOUwFXBFMDVAJcBx9UDgQ
• 2015-07-04 13:33:06 UTC - centfou.gq - GET /VApeB0kBBVNfCVcYAx8BHlYBXBdUDUBKVRJOVxtVAlEcUwJVHFIBHgRQAVUCUwNTClZOV0kQRg1zFV0Rah8D
• 2015-07-04 13:33:08 UTC - centfou.gq - GET /VApeB0kBBVNfCVcYAx8BHlYBXBdUDUBKVRJOVxtVAlEcUwJVHFIBHgRQAVUCUwNTClZOVUkQRg1zFV0Rah8D

 

• 2015-07-04 15:25:25 UTC - www.gm-trucks.com - GET /
• 2015-07-04 15:25:26 UTC - 136.243.25.242 - hillarytone.com - GET /lnJqt--wxI-k_XzS_viQrNp/XsmYNizuj/tKlNkyQpoxTsPZH_jqOzW_w.php?
  KX9=46T&Rr4=ac&gNKR=1k3&FXCc=0_s2&dcwhJC_=b2Z&S8Jm=b_dt&5EZNi=a7K&Vq-KA-H-=c7

• 2015-07-04 15:25:32 UTC - centfou.gq - GET /RVFZAQUYAx9RB1sQVAxHTFIV.html
• 2015-07-04 15:25:33 UTC - centfou.gq - GET /VxtCHkJWWQACHgQYAR9RB1sQVAxHTFIVTlsCTAdQAU0DWgVKA1cKHgRQAVUCUAZRAVBOBFlV
• 2015-07-04 15:25:34 UTC - centfou.gq - GET /VApeB0kTAAhRUklVTlBOAVAKRgVdFxsDQx8KUhtWBlAcUw1UHFIGWklVBlAEUgdXB1ABHgIYZQx_EnMYAw

 

• 2015-07-04 19:23:59 UTC - www.i-programmer.info - GET /
• 2015-07-04 19:24:01 UTC - 136.243.227.9 - epittowds.pw - GET /wXZVqy-Jkj--NptHi-S_PxK_u/WgwmVLlNnvtjYZUh/-wPTVtK-QMlUu_WRZ-G-oNY.js?
  q_f=98J&-eqnoOJK-=e0&ev4gRQM=64&n=1y6&wVEBzCP=m5eZ&zbHkIG=et8&1pA=0

• 2015-07-04 19:24:10 UTC - betsfoi.ga - GET /WhkDVFYCS1BPAFYXRAdcCx0EVg.html
• 2015-07-04 19:24:11 UTC - betsfoi.ga - GET /UhlDHl4bB1dWA09SS1JPAFYXRAdcCx0EVh0EWh1SBVgdUwZTGVYEHgJXBFcDUQRbAlFPBF9S
• 2015-07-04 19:24:11 UTC - betsfoi.ga - GET /UQhfB08OT1EFB1IfBh0AHlEGQxJVDVpNUABPVQtNBlMKTAJWB08EVU9SA1IFUgBUD1QDHgYfVBNHOlE5dR0C
• 2015-07-04 19:24:15 UTC - betsfoi.ga - GET /UQhfB08OT1EFB1IfBh0AHlEGQxJVDVpNUABPVQtNBlMKTAJWB08EVU9SA1IFUgBUD1QDHgQfVBNHOlE5dR0C

 

• 2015-07-05 03:10:42 UTC - writingcommons.org - GET /
• 2015-07-05 03:10:46 UTC - 136.243.25.241 - glamdiarysnow.com - GET /zj-ISV-XNL-ktQrihgZs-T-Yp/-OMrW_kHLpJxiZQRn-IT--t.js?
  Z-m=Q9fn6ra2db0d1&C=b6_27cY915nfeM&uTd8=v31f7-5tcw4Za8d

• 2015-07-05 03:10:53 UTC - bluebit.ga - GET /R1MMExoJSlUIFwNaX0NKBQc.html
• 2015-07-05 03:10:54 UTC - bluebit.ga - GET /U08UHhdcXkYYUxoLSlUIFwNaX0NKBQdEAA5KV1EWBwFRTFcBBEtVVlUOBgFRWlMMSlEIUw
• 2015-07-05 03:10:56 UTC - bluebit.ga - GET /UF4IBxpJUl8VHldEBUsGDhNdVF4QTAFZSgFdTFMPGAZSV0gJDwUYU1ILAAdSV14NAktTHgdPeHgBEhoJ

 

• 2015-07-05 14:22:07 UTC - www.acne.org - GET /messageboard/
• 2015-07-05 14:22:08 UTC - 136.243.25.242 - melodiimilii.com - GET /hMVQixXy_s-/OI-RSzXroP-m/XLxpomzKGn-/Y___i-tmZ-khzpSsQ.php?
  -N=0l1784u497G8c82Zf2fdx2Yb

• 2015-07-05 14:22:13 UTC - bluebit.cf - GET /AAVSQBpUHVZZTAMHCEAbWgA.html
• 2015-07-05 14:22:13 UTC - bluebit.cf - GET /BExFRQdUBk1JCBpWHVZZTAMHCEAbWgAZVBoDC0hUVBoECV4ZUAAGD1dVVwUGChoDDQU
• 2015-07-05 14:22:14 UTC - bluebit.cf - GET /B11ZXBoEUFNMRVcZUkhXVRMAA11BFwUDHQEbD1RLUAEbCFZdHQUBClBUUQIEClUZVEhday0oFG1FSDQIHQU
• 2015-07-05 14:22:16 UTC - bluebit.cf - GET /B11ZXBoEUFNMRVcZUkhXVRMAA11BFwUDHQEbD1RLUAEbCFZdHQUBClBUUQIEClUZVkhday0oFG1FSDQIHQU

 

• 2015-07-05 19:50:34 UTC - www.iwsti.com - GET /
• 2015-07-05 19:50:35 UTC - 136.243.224.10 - nealychy.com - GET /pP-L___Nrlt-RmGsiJKo/M-ptrJNOqn-moK_v.js?
  RrfM6hwq=ab3d6_e&IAbRr=bJ6f1eo4&YKmCU=dwcR4Lb_c3P&atxe=gaYM62wa2ia&x=5Q

• 2015-07-05 19:50:39 UTC - fellinio.cf - GET /Wl9VUB4CS1FSWw5aWV5YGQFV.html
• 2015-07-05 19:50:40 UTC - fellinio.cf - GET /Uk9HSw9bVVBLBh4AS1FSWw5aWV5YGQFVSwIHGVQDGQYEA0wCAwRLBlYAAQYFAloADktRW1M
• 2015-07-05 19:50:41 UTC - fellinio.cf - GET /UV5bUh5eX1VQS1NPBEtRUg5fXlleWExQUUsCB0wFBxkGBFYdBgMES1MHBAEGBVcLBA5LAB5LRHtDZChnSwY

 

• 2015-07-05 20:11:43 UTC - www.depressionforums.org - GET /forums/
• 2015-07-05 20:11:44 UTC - 136.243.25.242 - bestmylikex.com - GET /Z-wjYS__HzNIyXpqQm_is/mh_r_T/-t/Tvkjq--GpRuMJt.js?
  ehx=b8s7d-&C3Q=G4V0LdRd&C=T2-0n3Rd-&qZL=fjaeaQ&_j3-5=bSL37j9&-XSkC0qE=9c7Ve

• 2015-07-05 20:12:02 UTC - fellinio.cf - GET /UQRYS1NPUVJbWwtdXlgZVAQ.html
• 2015-07-05 20:12:04 UTC - fellinio.cf - GET /Uk9HSwQAWEsGS1FPUVJbWwtdXlgZVARPBgcEGVMBGQ4ZBlcDSwYDBFQCBQAGBVBPUVsG
• 2015-07-05 20:12:06 UTC - fellinio.cf - GET /UV5bUh5VBFhLBh4AS1FSWw5aWV5YGQFVSwYHBEwCBRkOGVMGB0sGA1EFBgUABlABSwBLZjVpekFATglmSwY

 

FINAL NOTES

Once again, here's the traffic and malware:

• ZIP file for all the traffic examples:  2015-07-03-thru-2015-07-05-BizCN-gate-actor-Nuclear-EK-traffic.zip (8,629,269 bytes)
• ZIP file of the associated malware:  2015-07-03-thru-2015-07-05-BizCN-gate-actor-Nuclear-EK-malware.zip (1,316,015 bytes)

• 2015-06-15-and-2015-07-02-BizCN-gate-actor-Nuclear-EK-malware.zip (426,997 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.