Notes
  • Nuclear EK underwent substantial changes in its normal URI structure, according to @kafeines post
  • Previous Nuclear traffic can be seen here, and on here from Brad @malware_traffic
  • New URI Structure appears to be more similar to Angler EK
  • XOR String to Nuclear payload is Hex: 56,6b,59,78,6a,50 // Ascii: VkYxjP
  • The sample didn't run the payload on initial infection, so the Nuclear EK payload (CryptoWall 3.0) was ran seperately in a lab environment
  • Thanks @EKwatcher
PCAP and Malware
Compromised Domain and Redirect

2015-07-21 22:25:31 UTC - 50.56.237.247 - forum.freeadvice.com - GET /small-claims.courts-24/can-contract-enforced-without-signature-478354.html
2015-07-21 22:25:31 UTC - 136.243.25.242 - skalelinasa.com - GET /nTLNP-zmM-S-XGsoKuW/Pqin-oWVh.js?S_-jHs2d6=32k6-O9h4g46Q4y6_&cEdHMvW-=6e24j7M4i9J1f

Nuclear EK Traffic

2015-07-21 22:25:47 UTC - 178.62.179.76 - vneleest.link - GET /search?q=cSFVZOAk5HCwReVldCEU9eWlxa&MqF=blOWlt&bZKZnk=004a51&BZXb=aWlxVAB&FPTIWfo=2100214b02
2015-07-21 22:25:48 UTC - 178.62.179.76 - vneleest.link - GET /search?q=bHQMDS1MCC&DBaqqG=e1&vfOVJ=fUXwE&SDSVT=dBAcDUB&RnrLQMd=chwAUVdOAgYCUlQD&vYUUg=67581a130&CLr=aVkpBGQhbUEIGGVBOBk5HCwReVldCEU9eWlxaGVYA&jNRtDYx=531ee2923
2015-07-21 22:25:54 UTC - 178.62.179.76 - vneleest.link - GET /search?q=aVVtdAB1bWlFBUh0DTwdNEw9XX1dUFhUcX1&eKilmf=96a1c1cc32&NFSXzU=4273c94&iEBUm=cTwMFVlYHAgUEV1ROBE5nDjhKWWJNVA&DzXJVc=btfDh0FARwAV08AAwsfVFUE

Post-Infection CryptoWall 3.0 Traffic (from another host)

2015-07-21 23:05:02 UTC - 188.165.164.184 - ip-addr.es - GET /
2015-07-21 23:05:02 UTC - 66.147.242.164 - 3dfactorymexico.com - POST /foro/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/c.php?v=ajy9gatvyn
2015-07-21 23:05:33 UTC - 5.153.10.229 - businesscod.com - POST /tmp/e.php?a=ajy9gatvyn
2015-07-21 23:05:33 UTC - 184.168.47.225 - guypjones.com - POST /wp-content/themes/twentyeleven/a.php?q=ajy9gatvyn
2015-07-21 23:05:33 UTC - 184.168.47.225 - africanadvances.com - POST /wp-content/plugins/updraftplus/oc/guzzle/Guzzle/Service/Command/LocationVisitor/Request/a.php?a=ajy9gatvyn
2015-07-21 23:05:37 UTC - 66.147.242.164 - 3dfactorymexico.com - POST /foro/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/c.php?p=4bxcbbmdw11bm
2015-07-21 23:06:07 UTC - 5.153.10.229 - businesscod.com - POST /tmp/e.php?p=4bxcbbmdw11bm
2015-07-21 23:06:08 UTC - 184.168.47.225 - guypjones.com - POST /wp-content/themes/twentyeleven/a.php?i=4bxcbbmdw11bm
2015-07-21 23:06:11 UTC - 66.147.242.164 - 3dfactorymexico.com - POST /foro/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/c.php?g=ep1sfvj1nb2
2015-07-21 23:06:42 UTC - 5.153.10.229 - businesscod.com - POST /tmp/e.php?g=ep1sfvj1nb2
2015-07-21 23:06:42 UTC - 184.168.47.225 - guypjones.com - POST /wp-content/themes/twentyeleven/a.php?y=ep1sfvj1nb2
2015-07-21 23:06:58 UTC - 66.147.242.164 - 3dfactorymexico.com - POST /foro/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/c.php?s=lc9t3zfq20m1xj2
2015-07-21 23:06:59 UTC - 5.153.10.229 - businesscod.com - POST /tmp/e.php?l=lc9t3zfq20m1xj2
2015-07-21 23:06:59 UTC - 184.168.47.225 - guypjones.com - POST /wp-content/themes/twentyeleven/a.php?s=lc9t3zfq20m1xj2
2015-07-21 23:06:59 UTC - 184.168.47.225 - africanadvances.com - POST /wp-content/plugins/updraftplus/oc/guzzle/Guzzle/Service/Command/LocationVisitor/Request/a.php?h=lc9t3zfq20m1xj2
2015-07-21 23:12:28 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /dketic
2015-07-21 23:12:30 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/style.css
2015-07-21 23:12:31 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/us.png
2015-07-21 23:12:31 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/it.png
2015-07-21 23:12:31 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/de.png
2015-07-21 23:12:31 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /picture.php?k=dketic&3d5f650db76e1561cfd7dbd677f734c2
2015-07-21 23:12:31 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/es.png
2015-07-21 23:12:31 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/lt.png
2015-07-21 23:12:33 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/fr.png
2015-07-21 23:12:33 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/rt.png
2015-07-21 23:12:33 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/lb.png
2015-07-21 23:12:33 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /img/rb.png
2015-07-21 23:12:35 UTC - 95.163.121.228 - 6i3cb6owitcouepv.misterhoppo.com - GET /favicon.ico

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

Nuclear EK Infection Traffic
2015-07-21 22:25:47 UTC - 178.62.179.76:80 -> 192.168.7.105:49315 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M1
2015-07-21 22:25:47 UTC - 178.62.179.76:80 -> 192.168.7.105:49315 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-07-21 22:25:47 UTC - 178.62.179.76:80 -> 192.168.7.105:49315 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-07-21 22:25:47 UTC - 178.62.179.76:80 -> 192.168.7.105:49315 - ETPRO CURRENT EVENTS Nuclear EK Landing April 30 2015 M4
2015-07-21 22:25:48 UTC - 192.168.7.105:49315 -> 178.62.179.76:80 - ET POLICY Outdated Windows Flash Version IE
2015-07-21 22:25:58 UTC - 178.62.179.76:80 -> 192.168.7.105:49315 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-07-21 22:25:58 UTC - 178.62.179.76:80 -> 192.168.7.105:49315 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload

Post-Infection CryptoWall 3.0 Traffic (from a seperate host)
2015-07-21 23:05:02 UTC - 10.10.11.114:49189 -> 188.165.164.184:80 - ET POLICY Possible IP Check ip-addr.es
2015-07-21 23:05:33 UTC - 10.10.11.114:49190 -> 66.147.242.164:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:05:33 UTC - 10.10.11.114:49193 -> 184.168.47.225:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:05:33 UTC - 10.10.11.114:49193 -> 184.168.47.225:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-21 23:05:33 UTC - 10.10.11.114:49192 -> 5.153.10.229:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:05:37 UTC - 10.10.11.114:49194 -> 184.168.47.225:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:07 UTC - 10.10.11.114:49195 -> 66.147.242.164:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:08 UTC - 10.10.11.114:49196 -> 5.153.10.229:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:11 UTC - 10.10.11.114:49197 -> 184.168.47.225:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:11 UTC - 10.10.11.114:49197 -> 184.168.47.225:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-21 23:06:41 UTC - 10.10.11.114:49198 -> 66.147.242.164:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:42 UTC - 10.10.11.114:49199 -> 5.153.10.229:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:45 UTC - 10.10.11.114:49200 -> 184.168.47.225:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:45 UTC - 10.10.11.114:49200 -> 184.168.47.225:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-21 23:06:59 UTC - 10.10.11.114:49201 -> 66.147.242.164:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:59 UTC - 10.10.11.114:49202 -> 5.153.10.229:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:06:59 UTC - 10.10.11.114:49203 -> 184.168.47.225:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-21 23:06:59 UTC - 10.10.11.114:49203 -> 184.168.47.225:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:07:02 UTC - 10.10.11.114:49204 -> 184.168.47.225:80 - ET TROJAN CryptoWall Check-in
2015-07-21 23:12:28 UTC - 10.10.11.114:60526 -> 10.10.11.39:53 - ETPRO TROJAN CryptoLocker .onion Proxy Domain (6i3cb6owitcouepv)
2015-07-21 23:12:28 UTC - 10.10.11.114:60526 -> 10.10.11.39:53 - ETPRO POLICY DNS Query to .onion proxy Domain (misterhoppo.com)

Preliminary Malware Analysis

Nuclear EK Flash Exploit

Nuclear EK Payload - CryptoWall 3.0

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates