Notes
  • Found on Threatglass
  • Compromised domain redirects to both Angler EK and Nuclear EK
  • Not suprisingly, Angler EK dropped CryptoWall 3.0, but Nuclear EK dropped something else... Zbot variant?
  • Partially decoded Nuclear EK payload with thanks to Darien Huss for his help
    • Nucelear EK XOR key is LgytEiusGG
PCAP and Malware
Compromised Domain and Redirect

2015-07-09 08:09:35 UTC - 203.124.115.1 - careerpower.in - GET /

Angler EK Traffic

2015-07-09 08:09:41 UTC - 176.9.245.140 - lkevalikoimawomanbearing.cowboysplayoff.com - GET /viewtopic.php?f=6&t=154706112
2015-07-09 08:09:46 UTC - 176.9.245.140 - lkevalikoimawomanbearing.cowboysplayoff.com - GET /perhaps.cpg?lot=KOi&few=&however=A_FU&right=&less=1JRVLWxDK&through=4bvM&else=5dmVFselzwxg7ppRfovZw50-0Mh3
2015-07-09 08:09:51 UTC - 176.9.245.140 - lkevalikoimawomanbearing.cowboysplayoff.com - GET /place.phtm?certainly=5n1-YZeSjn&shall=NUIg7rd&here=KIUtui3&necessary=u1Rhyi-g&enough=Smxe&sale=QIWRWMvM71&never=sV

Nuclear EK Traffic

2015-07-09 08:09:43 UTC - 104.238.190.92 - cacoturesamopase.ml - GET /QAkMQE1QSwcFUl4RQhYBQlAIWBQFQlRLWgg.html
2015-07-09 08:09:55 UTC - 104.238.190.92 - cacoturesamopase.ml - GET /UhwUTUYIXxUYBE1dSwcFUl4RQhYBQlAIWBQFQlRLWggYBwVLBVdRHwBQAkpcAU1UA1dSBQNcBFxXTVcJBA
2015-07-09 08:09:55 UTC - 104.238.190.92 - cacoturesamopase.ml - GET /UQ0IVE0SWgwVTQQZDxgHUFIKQxEWVEIEWgsUUEIAGQkITQdRGVZXBB9UAlFKCQEZBlBXBwVXDldcAk1QSyMoVkgRcg0RQnYZBg

Post-Infection CryptoWall 3.0 Traffic

2015-07-09 08:09:57 UTC - 188.165.164.184 - ip-addr.es - GET /
2015-07-09 08:10:18 UTC - 198.57.151.37 - athomedadmatters.com - POST /wp-content/themes/dd.php?h=sducfkyoopq7
2015-07-09 08:10:29 UTC - 72.167.131.219 - asrparts.com - POST /wp-content/themes/cc.php?d=mbjoxgh9vd
2015-07-09 08:11:00 UTC - 198.57.151.37 - athomedadmatters.com - POST /wp-content/themes/dd.php?s=mbjoxgh9vd
2015-07-09 08:11:03 UTC - 72.167.131.219 - asrparts.com - POST /wp-content/themes/cc.php?z=7hocwuudcq5gc

Post-Infection Nuclear EK Possible Zbot Variant Traffic

2015-07-09 08:10:27 UTC - 95.211.121.18 - whoer.net - GET /

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8

2015-07-09 08:09:39 UTC - 203.124.115.1:80 -> 192.168.10.10:1036 - ET CURRENT EVENTS Possible Evil Redirector Leading to EK June 10 2015
2015-07-09 08:09:42 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Possible Angler EK Landing May 16 M2
2015-07-09 08:09:42 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-07-09 08:09:42 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Angler EK Landing June 30 2015 M6
2015-07-09 08:09:42 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Possible Angler EK Landing June 30 2015 M2
2015-07-09 08:09:43 UTC - 104.238.190.92:80 -> 192.168.10.10:1052 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M1
2015-07-09 08:09:43 UTC - 104.238.190.92:80 -> 192.168.10.10:1052 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-07-09 08:09:43 UTC - 104.238.190.92:80 -> 192.168.10.10:1052 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-07-09 08:09:46 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Possible Angler EK Landing May 16 M2
2015-07-09 08:09:46 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-07-09 08:09:46 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Angler EK Landing June 30 2015 M6
2015-07-09 08:09:46 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015
2015-07-09 08:09:46 UTC - 176.9.245.140:80 -> 192.168.10.10:1049 - ETPRO CURRENT EVENTS Possible Angler EK Landing June 30 2015 M2
2015-07-09 08:09:46 UTC - 192.168.10.10:1049 -> 176.9.245.140:80 - ETPRO CURRENT EVENTS Angler EK Flash Exploit (IE) Jun 16 M1 T2
2015-07-09 08:09:51 UTC - 176.9.245.140:80 -> 192.168.10.10:1059 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-09 08:09:52 UTC - 176.9.245.140:80 -> 192.168.10.10:1059 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (12)
2015-07-09 08:09:52 UTC - 176.9.245.140:80 -> 192.168.10.10:1059 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (13)
2015-07-09 08:09:52 UTC - 176.9.245.140:80 -> 192.168.10.10:1059 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (23)
2015-07-09 08:09:52 UTC - 176.9.245.140:80 -> 192.168.10.10:1059 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (11) M2
2015-07-09 08:09:53 UTC - 104.238.190.92:80 -> 192.168.10.10:1052 - ETPRO CURRENT EVENTS Nuclear EK Landing April 30 2015 M4
2015-07-09 08:09:55 UTC - 192.168.10.10:1078 -> 104.238.190.92:80 - ET CURRENT EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015
2015-07-09 08:09:55 UTC - 192.168.10.10:1078 -> 104.238.190.92:80 - ET POLICY Outdated Windows Flash Version IE
2015-07-09 08:09:55 UTC - 104.238.190.92:80 -> 192.168.10.10:1078 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-07-09 08:09:57 UTC - 192.168.10.10:1081 -> 188.165.164.184:80 - ET POLICY Possible IP Check ip-addr.es
2015-07-09 08:10:05 UTC - 104.238.190.92:80 -> 192.168.10.10:1078 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-07-09 08:10:20 UTC - 192.168.10.10:1113 -> 198.57.151.37:80 - ET TROJAN CryptoWall Check-in
2015-07-09 08:10:20 UTC - 192.168.10.10:1113 -> 198.57.151.37:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-09 08:10:27 UTC - 192.168.10.10:1115 -> 95.211.121.18:80 - ET POLICY Possible External IP Lookup whoer.net
2015-07-09 08:10:28 UTC - 95.211.121.18:80 -> 192.168.10.10:1115 - ET CURRENT EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015
2015-07-09 08:11:00 UTC - 192.168.10.10:1114 -> 72.167.131.219:80 - ET TROJAN CryptoWall Check-in
2015-07-09 08:11:00 UTC - 192.168.10.10:1114 -> 72.167.131.219:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-09 08:11:03 UTC - 192.168.10.10:1118 -> 198.57.151.37:80 - ET TROJAN CryptoWall Check-in
2015-07-09 08:11:03 UTC - 192.168.10.10:1118 -> 198.57.151.37:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-09 08:11:26 UTC - 192.168.10.10:1119 -> 72.167.131.219:80 - ET TROJAN CryptoWall Check-in
2015-07-09 08:11:26 UTC - 192.168.10.10:1119 -> 72.167.131.219:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-09 08:11:30 UTC - 184.28.188.186:80 -> 192.168.10.10:1127 - ET POLICY PE EXE or DLL Windows file download HTTP
2015-07-09 08:11:46 UTC - 184.28.188.186:80 -> 192.168.10.10:1130 - ET POLICY PE EXE or DLL Windows file download HTTP

Preliminary Malware Analysis

Nuclear EK Flash Exploit - CVE-2015-5119

Nuclear EK Payload

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates