Notes
  • Updated Nuclear EK, this time sending AlphaCrypt ransomware along with other loader/trojan modules
  • Originally spotted this domain on Threatglass, but I decided to run in a different environment
  • Payloads included H1N1 Loader, which presented AlphaCrypt, and Andromeda rounding out quite the infection chain
  • Other runs presented new CryptoWall (4.0) in addition to what is below

PCAP and Malware

PCAP here: 2015-12-03-Nuclear-EK-Traffic.pcap
Malware here: 2015-12-03-Nuclear-EK-Malware-Exploits.zip

For password, please email me at jack@malwarefor.me.

Compromised Domain and Redirect

2015-12-03 05:07:14 UTC - 45.63.13.175 - www.goclick.cf - GET /
2015-12-03 05:07:15 UTC - 159.203.134.174 - cdn.mainlandpage.website - GET /ad/?id=6943631&keyword=plugrush&tsrc=plugrush

Nuclear EK Traffic

2015-12-03 05:07:16 UTC - 104.131.239.235 - givemefather.tk - GET /placers/forewarns/marauders.php?inflow=1316&quintupling=greasing
2015-12-03 05:07:19 UTC - 104.131.239.235 - givemefather.tk - GET /dehydrate/soulfulness/pinstripe/valued.css?junta=591742143084
2015-12-03 05:07:20 UTC - 104.131.239.235 - givemefather.tk - GET /domes/animosity/retrospecting.css?presidential=571854604777
2015-12-03 05:07:21 UTC - 104.131.239.235 - givemefather.tk - GET /cantatas/overshoes/inner.js?beneficent=509574388478&semiautomatic=6341
2015-12-03 05:07:28 UTC - 104.131.239.235 - givemefather.tk - GET /devil/gamines/safaried.css?monologs=458931635871
2015-12-03 05:07:30 UTC - 104.131.239.235 - givemefather.tk - GET /prancers/garner/charmers.js?minxes=99392324166&ambassadorship=29551

Payload 1 (H1N1) XOR'd with ASCII string: oeIJCiuPeO, Hex: 0x6f 0x65 0x49 0x4a 0x43 0x69 0x75 0x50 0x65 0x4f

Payload 2 (same binary as Payload 1) XOR'd with ASCII string: wrXMWoaMuL, Hex: 0x77 0x72 0x58 0x4d 0x57 0x6f 0x61 0x4d 0x75 0x4c

Post-Infection H1N1 Loader Traffic

2015-12-03 05:07:26 UTC - 193.104.215.66 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=00006CC0
2015-12-03 05:07:27 UTC - 193.104.215.66 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=0000D638
2015-12-03 05:07:27 UTC - 193.104.215.66 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=00005E65
2015-12-03 05:07:28 UTC - 162.243.167.212 - 162.243.167.212 - POST /mediaserver/autoget.php
2015-12-03 05:07:40 UTC - 162.243.167.212 - 162.243.167.212 - POST /mediaserver/autoget.php
2015-12-03 05:07:40 UTC - 193.104.215.66 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=00009680
2015-12-03 05:07:41 UTC - 193.104.215.66 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=0000C887
2015-12-03 05:07:41 UTC - 193.104.215.66 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=0000454F
2015-12-03 05:07:42 UTC - 162.243.167.212 - 162.243.167.212 - POST /mediaserver/autoget.php
2015-12-03 05:07:53 UTC - 192.150.16.58 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=0000A217
2015-12-03 05:07:54 UTC - 192.150.16.58 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=0000D0BC
2015-12-03 05:07:55 UTC - 192.150.16.58 - get.adobe.com - GET /flashplayer/download/?dualoffer=false&installer=0000760A
2015-12-03 05:07:56 UTC - 162.243.167.212 - 162.243.167.212 - POST /mediaserver/autoget.php

Post-Infection AlphaCrypt Traffic

2015-12-03 05:08:01 UTC - 78.47.139.102 - myexternalip.com - GET /raw
2015-12-03 05:08:01 UTC - 192.185.5.252 - regiefernando.me - GET /images/slideshow/sysmisc.php?A5CED62CA35C8C926090084142E2B06BCD518D59778008D4CF2160214A4E903E62742B04169C4E5C3BAB3FF78DFDE43FD4D7B4C211C16705FD6F8A2A77108EDE3AB7539F497DEBB8B614142F3D290D138FB1C2C229907703B26BE45E9490078A93B590218BB2C1A2ACBDE91A5514E59FE5E3F396078AFBB67FB8DFBBD191E9C3D3CC9087848F1C8234466B9C14A8B712909CCFFCF7EE9810CF89CAA52240598C38E6E94DCDBEA1E3606F622D2F64B494924EBEC65E9CDCB719A08D190439CD594339E6645A7E8A91440BA44481D91B909D255E63FA63F416E1B438B9BA867475D2485B784DAE2F220284F1FB2AEB446AC7985FA73117953F714A8C8CB53CC53C21A7165C2D5D26C67D25E4EAC5E84ED24331523865A634709D33ABEC897710F0C6662E5C9DBD9EE463A055BBB339C83201E9A5B26E808CC186EB858939BBEA72834375897BDFE40C12D15622C08683281A4C43F6374FE96CDF61D9209B7AD53B
2015-12-03 05:09:01 UTC - 192.185.5.252 - regiefernando.me - GET /images/slideshow/sysmisc.php?572A56481F78D91A71F483FAC3626A6F94EA3199CCA62DD0E77D61373E668AC137310D9D3235D5D37228124F16CE3DA9167E70025C87DEA9ABED5A54AFC50AF50A812D12F0E48920BE68BB719854ACA91EEF1D108B779EE9F6B937AC4D706D96E0FAD07CEF457D6628E185589A787B03E7F9D64C9492D2725733424AA9BE054E1A84661AC1A84373D7C3C141E85A3F06BFC5453A32FA517077EB3278FF192BE97A2E0C67BF7E7C761DC7FE002D90C946CA909405B4D525090CB54A6C0684D3239CCDBF5D6F4E1CE186251C82FCCFA8AB88907BFDF6CA8A17F2EB35255151D5664093023D3C9A05017439B5AB3EBB79008EF7C6070F75FF3B86FF3F900925314E1ED9BFC3BF408B202EBB0647C791FF8BA61A7DD039AF8D3E8E407D790CDFE8596B8DA3FD462A268A7B80524EECDFD0213B053F85BC444DD839CB8F36933FA80BE015AF8503784755F3FB2F3E8D2E6BF8D234FFBD84BB36AA1486926CAD7C925E

Post-Infection Andromeda/Gamarue Traffic

2015-12-03 05:08:36 UTC - 31.193.177.68 - ringplanet.eu - POST /srvr/htmlpurifier-2.1.5/plugins/phorum/settings/system4_1030.php
2015-12-03 05:08:38 UTC - 81.177.135.43 - expert-drive.ru - POST /avto-school/driving-lessons/wordpress-file-monitor-plus/classes/system4_1030.php
2015-12-03 05:08:39 UTC - 185.93.187.105 - bat99-11611.co - POST /gate777.php

IDS alerts using the Emerging Threats Pro Ruleset (INFO and POLICY disabled) on Suricata 2.0.8

2015-12-03 05:07:17 UTC - 192.168.122.89:49180 -> 104.131.239.235:80 - ETPRO CURRENT EVENTS Nuclear EK Landing URI struct Dec 03 2015 M1
2015-12-03 05:07:19 UTC - 104.131.239.235:80 -> 192.168.122.89:49180 - ETPRO CURRENT EVENTS Nuclear EK Landing Oct 20 2015 M1
2015-12-03 05:07:19 UTC - 104.131.239.235:80 -> 192.168.122.89:49180 - ETPRO CURRENT EVENTS Nuclear EK Landing Oct 20 2015 M2
2015-12-03 05:07:19 UTC - 192.168.122.89:49180 -> 104.131.239.235:80 - ETPRO CURRENT EVENTS Nuclear EK Flash Exploit IE Dec 03 2015 M1
2015-12-03 05:07:19 UTC - 192.168.122.89:49180 -> 104.131.239.235:80 - ET CURRENT EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename
2015-12-03 05:07:27 UTC - 192.168.122.89:49183 -> 193.104.215.66:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:27 UTC - 193.104.215.66:80 -> 192.168.122.89:49183 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:27 UTC - 192.168.122.89:49184 -> 193.104.215.66:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:27 UTC - 193.104.215.66:80 -> 192.168.122.89:49184 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:28 UTC - 192.168.122.89:49185 -> 193.104.215.66:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:28 UTC - 193.104.215.66:80 -> 192.168.122.89:49185 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:41 UTC - 192.168.122.89:49187 -> 193.104.215.66:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:41 UTC - 193.104.215.66:80 -> 192.168.122.89:49187 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:41 UTC - 192.168.122.89:49188 -> 193.104.215.66:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:41 UTC - 193.104.215.66:80 -> 192.168.122.89:49188 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:41 UTC - 192.168.122.89:49186 -> 162.243.167.212:80 - ETPRO TROJAN Win32/Zlader.J Checkin
2015-12-03 05:07:42 UTC - 192.168.122.89:49189 -> 193.104.215.66:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:42 UTC - 193.104.215.66:80 -> 192.168.122.89:49189 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:54 UTC - 192.168.122.89:49191 -> 192.150.16.58:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:54 UTC - 192.150.16.58:80 -> 192.168.122.89:49191 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:55 UTC - 192.168.122.89:49192 -> 192.150.16.58:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:55 UTC - 192.150.16.58:80 -> 192.168.122.89:49192 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:07:55 UTC - 192.168.122.89:49193 -> 192.150.16.58:80 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
2015-12-03 05:07:55 UTC - 192.150.16.58:80 -> 192.168.122.89:49193 - ETPRO TROJAN H1N1 Loader adobe.com connectivity check response
2015-12-03 05:08:01 UTC - 192.168.122.89:49195 -> 78.47.139.102:80 - ET POLICY Possible IP Check myexternalip.com
2015-12-03 05:08:02 UTC - 192.168.122.89:49196 -> 192.185.5.252:80 - ETPRO TROJAN AlphaCrypt CnC Beacon 6
2015-12-03 05:08:02 UTC - 192.185.5.252:80 -> 192.168.122.89:49196 - ET TROJAN Alphacrypt CnC Beacon Response
2015-12-03 05:08:37 UTC - 192.168.122.89:49198 -> 31.193.177.68:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-12-03 05:08:37 UTC - 192.168.122.89:49198 -> 31.193.177.68:80 - ETPRO TROJAN Andromeda/Gamarue Checkin
2015-12-03 05:08:38 UTC - 192.168.122.89:49199 -> 81.177.135.43:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-12-03 05:08:38 UTC - 192.168.122.89:49199 -> 81.177.135.43:80 - ETPRO TROJAN Andromeda/Gamarue Checkin
2015-12-03 05:08:39 UTC - 192.168.122.89:49200 -> 185.93.187.105:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-12-03 05:08:39 UTC - 192.168.122.89:49200 -> 185.93.187.105:80 - ETPRO TROJAN Andromeda/Gamarue Checkin
2015-12-03 05:09:02 UTC - 192.185.5.252:80 -> 192.168.122.89:49201 - ET TROJAN Alphacrypt CnC Beacon Response
2015-12-03 05:09:02 UTC - 192.168.122.89:49201 -> 192.185.5.252:80 - ETPRO TROJAN AlphaCrypt CnC Beacon 6

Payment Domains and Wallet Information

Observed Payment domains:
1. hxxp://alcov44uvcwkrend.paybtc798.com
2. hxxp://alcov44uvcwkrend.btcpay435.com
3. hxxps://alcov44uvcwkrend.onion.to
4. alcov44uvcwkrend.onion

Wallet: 12Tre2uX5RZSZtDLQUv3RTfbNCaKqodVoN
Blockchain info on 12Tre2uX5RZSZtDLQUv3RTfbNCaKqodVoN

AlphaCrypt 'Howto_RESORE_FILES.txt' Details
++++++==============================================================================================================+++++++======-
What happened to your files ?  
All of your files were protected by a strong encryption with RSA-2048.  
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?  
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,  
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?  
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.  
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.  
++++++==============================================================================================================+++++++======
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?  
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.  
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:  
1. http://alcov44uvcwkrend.paybtc798.com/[Redacted]  
2. http://alcov44uvcwkrend.btcpay435.com/[Redacted]  
3. https://alcov44uvcwkrend.onion.to/[Redacted] 

If for some reasons the addresses are not available, follow these steps:  
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en  
2. After a successful installation, run the browser and wait for initialization.  
3. Type in the address bar: alcov44uvcwkrend.onion/[Redacted]  
4. Follow the instructions on the site.

IMPORTANT INFORMATION:  
Your personal pages:  
http://alcov44uvcwkrend.paybtc798.com/[Redacted]  
http://alcov44uvcwkrend.btcpay435.com/[Redacted]  
https://alcov44uvcwkrend.onion.to/[Redacted]  
Your personal page (using TOR-Browser): alcov44uvcwkrend.onion/[Redacted]  
Your personal identification number (if you open the site (or TOR-Browser's) directly): [Redacted]  
++++++==============================================================================================================+++++++======
Preliminary Malware Analysis

Nuclear EK Flash Exploit

File name: 2015-12-03-Nuclear-EK-Flash-Exploit.swf
File size: 80.8 KB ( 82704 bytes )
MD5 hash: 15f6f1235bbb8fda153872d500e9cf7b
Detection ratio: 1 / 55
First submission: 2015-12-05 23:32:11 UTC
VirusTotal link: https://www.virustotal.com/en/file/7eebafaeace11b7bb43aed72e1d926fb83375e37785fdd6bbee20920dfe8164f/analysis/1449358331/

Nuclear EK Payload: H1N1 Loader

File name: 2015-12-03-Nuclear-EK-Payload-1.exe
File size: 149.5 KB ( 153090 bytes )
MD5 hash: 3a58215ab737c3b0b312fad797ad2f58
Detection ratio: 29 / 55
First submission: 2015-12-04 03:37:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/fb4f9c6588a891fbe9aaf4108d09ef9ec422e301b52f497170c4e035f5a0f059/analysis/1449359088/

AlphaCrypt

File name: gdkxw-a.exe
File size: 356.0 KB ( 364544 bytes )
MD5 hash: 3c1739b8576db3903f152e80295ee0b2
Detection ratio: 27 / 54
First submission: 2015-12-05 23:24:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/918fe30209f3ef975ed68dc722f32aac3bd1fefa60aff54af5bcbc8ed998212e/analysis/1449357887/

PCAP and Malware

PCAP here: 2015-12-03-Nuclear-EK-Traffic.pcap
Malware here: 2015-12-03-Nuclear-EK-Malware-Exploits.zip

For password, please email me at jack@malwarefor.me.

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates