Notes
  • PCAP from Threatglass on September 3rd
  • Nuclear EK delivering Pony/Fareit, which in turn appears to download Troldesh.A
  • Nuclear EK Payload XOR encoded with ascii key 'dthNyPN'
  • Because this sample came from Threatglass, the PCAP is all we have to go off
  • The Troldesh sample was run in a separate sandbox to gather intelligence on associated activity/traffic
    • Evidence of Troldesh was seen when executed in a sandbox environment-- files were encrypted and renamed with the .xbtl extention
    • Running did not generate normal ransomware decryption instructions
    • One run resulted in a WordPress login bruteforcing routine (I will blog on later, please reach out if you have observed this)
PCAP and Malware
Compromised Domain and Redirect

2015-09-03 21:47:27 UTC - 69.162.68.198 - almorakib.com - GET /
2015-09-03 21:47:27 UTC - 69.162.68.198 - www.almorakib.com - GET /

Nuclear EK Traffic

2015-09-03 21:48:09 UTC - 46.101.186.50 - daepokohutresaxo.ga - GET /search?q=aUF5SV0hJTQhaB0wBCkxSU1VFV&OetD=dU0haF1dX&1sTSMGs=728c65810c&EwauJV=cVBS1VF&Wwsr=bltZWk&BR49o=7ce5b7
2015-09-03 21:48:10 UTC - 46.101.186.50 - daepokohutresaxo.ga - GET /document.shtml?MqN51=bAFwEDBx4NCUwHBg&F7Ur=0a6b3b&PYKxJO=eZaAQ&I42DUT=aXEhGTkQNVQVKBgNJCAEATlRUXEBZWV9dTEREV0NUQV8YVVFJDwQYAAM&ZxZ=dRV&BALCnR=cQECgEACggM&DHvsx07=f..&EUzuS=94f0b136c
2015-09-03 21:48:13 UTC - 46.101.186.50 - daepokohutresaxo.ga - GET /cart?TC276I=0f2d1a0c&FG2=aX1laV0xBAVwDTgQGRQEHBExRWFVGXVta&G9TXB3v=cYCHAIGDB4HBwUbAQBKAwQBCAMHBAgNAE&CXicv=dwDTlRBUX5PYn5JCA..&AwqQx=bUUVCQFVGWEhZHFdURQ&UtA1zi=4330ea9d3

Post-Infection Pony/Fareit Traffic

2015-09-03 21:48:18 UTC - 173.44.130.189 - 1ccc1.net - POST /pn/crn/gate.php
2015-09-03 21:48:19 UTC - 176.114.1.54 - 2cc2cc2.cf - GET /f/crn/crn.exe

Post-Infection Troldesh.A Traffic

2015-09-03 21:48:33 UTC - 193.23.244.244:443
2015-09-03 21:48:36 UTC - 194.109.206.212:443
2015-09-03 21:48:39 UTC - 5.39.80.135:443
2015-09-03 21:48:39 UTC - 62.210.92.11:9101
2015-09-03 21:48:39 UTC - 88.198.100.230:443
2015-09-03 21:49:37 UTC - 95.211.121.18 - whoer.net - GET /

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-09-03 21:48:09 UTC - 192.168.53.10:1109 -> 46.101.186.50:80 - ETPRO CURRENT EVENTS Nuclear EK Landing URI Struct Jul 21 M1
2015-09-03 21:48:09 UTC - 46.101.186.50:80 -> 192.168.53.10:1109 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M1
2015-09-03 21:48:09 UTC - 46.101.186.50:80 -> 192.168.53.10:1109 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-09-03 21:48:10 UTC - 46.101.186.50:80 -> 192.168.53.10:1109 - ETPRO CURRENT EVENTS Nuclear EK Landing April 30 2015 M4
2015-09-03 21:48:10 UTC - 192.168.53.10:1109 -> 46.101.186.50:80 - ETPRO CURRENT EVENTS Angler EK Flash Exploit (IE) Jun 16 M1
2015-09-03 21:48:14 UTC - 192.168.53.10:1111 -> 184.25.56.61:80 - ET POLICY Outdated Windows Flash Version IE
2015-09-03 21:48:18 UTC - 192.168.53.10:1114 -> 173.44.130.189:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-09-03 21:48:18 UTC - 192.168.53.10:1114 -> 173.44.130.189:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-09-03 21:48:18 UTC - 173.44.130.189:80 -> 192.168.53.10:1114 - ETPRO TROJAN Fareit/Pony Downloader CnC response
2015-09-03 21:48:20 UTC - 192.168.53.10:1115 -> 176.114.1.54:80 - ET TROJAN Possible Graftor EXE Download Common Header Order
2015-09-03 21:48:20 UTC - 192.168.53.10:1115 -> 176.114.1.54:80 - ET CURRENT EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2015-09-03 21:48:20 UTC - 46.101.186.50:80 -> 192.168.53.10:1109 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-09-03 21:48:20 UTC - 46.101.186.50:80 -> 192.168.53.10:1109 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-09-03 21:48:20 UTC - 46.101.186.50:80 -> 192.168.53.10:1109 - ETPRO CURRENT EVENTS Angler EK Flash Exploit M2
2015-09-03 21:48:20 UTC - 176.114.1.54:80 -> 192.168.53.10:1115 - ET POLICY PE EXE or DLL Windows file download HTTP
2015-09-03 21:48:33 UTC - 193.23.244.244:443 -> 192.168.53.10:1118 - ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 263
2015-09-03 21:48:37 UTC - 194.109.206.212:443 -> 192.168.53.10:1119 - ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264
2015-09-03 21:48:39 UTC - 5.39.80.135:443 -> 192.168.53.10:1121 - ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 391
2015-09-03 21:48:39 UTC - 62.210.92.11:9101 -> 192.168.53.10:1120 - ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 417
2015-09-03 21:48:39 UTC - 88.198.100.230:443 -> 192.168.53.10:1122 - ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 555
2015-09-03 21:48:39 UTC - 62.210.92.11:9101 -> 192.168.53.10:1120 - ET POLICY TLS possible TOR SSL traffic
2015-09-03 21:49:38 UTC - 192.168.53.10:1128 -> 95.211.121.18:80 - ET POLICY Possible External IP Lookup whoer.net
2015-09-03 21:49:38 UTC - 192.168.53.10:1128 -> 95.211.121.18:80 - ETPRO TROJAN Ransomware Win32/Troldesh.A IP Lookup
2015-09-03 21:49:38 UTC - 95.211.121.18:80 -> 192.168.53.10:1128 - ET CURRENT EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015

Preliminary Malware Analysis

Nuclear EK Flash Exploit

Nuclear EK Payload

Troldesh.A Malware

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates