2015-08-14 - NUCLEAR EK FROM 95.85.21[.]30 - BACUHYTGBNVEDHHKO[.]ML

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-08-14-Nuclear-EK-traffic.pcap.zip
• 2015-08-14-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• Traffic patterns indicate this Nuclear EK is by the same actor I blogged about 2 days ago on 2015-08-12.
• Saw malicious script in page from the compromised website pointing to both Angler and Nuclear EK.  Only got Nuclear EK this time.

 

TRAFFIC

ASSOCIATED DOMAINS:

• eggheadzcafe[.]com - Compromised website
• 193.104.41[.]182 port 80 - mobi-auto[.]ru - Redirect (gate)
• 95.85.21[.]30 port 80 - bacuhytgbnvedhhko[.]ml - Nuclear EK

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-08-14 14:02:13 UTC - eggheadzcafe[.]com - GET /
• 2015-08-14 14:02:18 UTC - mobi-auto[.]ru - GET /7/

 

NUCLEAR EK:

• 2015-08-14 14:02:18 UTC - bacuhytgbnvedhhko[.]ml - GET /search?q=cW0&QH7=aXQwBAxofVxoODgofAB4HBwEWXBsR&uhkk=d&aLDv6=
  bAQANQgcBDgoI&vq9G=7cb54581&HZ5qi7M=646ac642&ZnrQcWp=ewICg

• 2015-08-14 14:02:18 UTC - bacuhytgbnvedhhko[.]ml - GET /build?8JeuK=gVVofUg5W&Ild=cANQgcBDgo&iKvPJVi=27f466&3TIu4g=fFNRVVtWAlJc&
  cepPSyz=aURoVGgEbXwoNGlYfAB4&72jF=eV1ZWS&NVWGEiT=18f0fd&X2pN=bHBwEWXBsRAQ&Lk5O=dIW0wICh5VAkxUXlVNAlpL

• 2015-08-14 14:02:20 UTC - bacuhytgbnvedhhko[.]ml - GET /order?AxQT8pl=993632fb5f&ERi9d=dXAR5UUlFaAVRVX1FbSFUZPA&wS4tf7S=
  bQocEgUBWhQAAg&5cRu=eolQhUUEDcfBQ&Ifn=coLXw1LCw4fAlRLV1pUGlRdSFN&iNd=59ca6da623&bVCx0=aUgsJAx4ATAkNDh5XSFYZBAMAQ

 

Click here to return to the main page.