2015-11-23 - BIZCN GATE ACTOR NUCLEAR EK FROM 5.175.193[.]253 - 369504.6210.YANI-ET[.]XYZ

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-11-23-BizCN-gate-actor-Nuclear-EK-sends-CryptoWall-ransomware-traffic.pcap.zip   980.5 kB (980,521 bytes)
• 2015-11-23-Nuclear-EK-and-CryptoWall-ransomware-files.zip   439.4 kB (439,387 bytes)

 

IMAGES

Shown above:  Pcap of the traffic filtered in Wireshark.

Shown above:  Injected script in page from the compromised website.

Shown above:  CryptoWall ransomware retrieved from the infected host.

Shown above:  Artifacts left over after the CryptoWall infection.

Shown above:  Desktop after the CryptoWall infection.

Shown above:  User checking the decrypt instructions for the ransom payment info.

 

Click here to return to the main page.