2014-01-24 - NUCLEAR EXPLOIT KIT

ASSOCIATED FILES:

 

NOTES:

Nuclear EK (also known as "Nuclear Pack") has been around for a while.  A Google search shows version 2.0 was discovered in 2012.

Current EmergingThreats signatures for Nuclear EK activity were released as early as November 2013 (see http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=%22Nuclear+EK%22 for details).

I recently ran across some traffic that triggered a few of those Nuclear EK signatures.  Let's take a closer look...

 

SNORT EVENTS

As always, I used Security Onion to monitor a vulnerable Windows host.  This time, it was a VM running Windows 7 SP1 with IE 10 and Java 7 update 15.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

INITIAL INFECTION CHAIN:

 

TRAFFIC DETAILS

Comrpomised server with an iframe in the HTML of the web page:

 

www.comprarytraer.cl redirects from the compromised web site to the Nuclear EK domain:

 

Initial landing page for the Nuclear EK domain:

 

The Java exploit:

 

The EXE payload:

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-01-24-Nucleus-exploit.jar
File size:  13.9 KB ( 14234 bytes )
MD5 hash:  2014-01-24-Nuclear-Java-exploit.jar
VirusTotal link:  https://www.virustotal.com/en/file/324df14bbb80c0b6dd0b13d96732c8647d20b470309d7e161c7068b7e5213265/analysis/
Detection ratio:  2 / 50
First submission:  2014-01-24 04:38:46 GMT

 

File name:  2014-01-24-Nuclear-EXE-payload.exe
File size:  344.0 KB ( 352256 bytes )
MD5 hash:  3c2d3d94b9e47f5c72dab9a8d62a58a2
VirusTotal link:  https://www.virustotal.com/en/file/0c1ecbdcf144a8f28f88edef7221426f613124c8da5a84dc33975eca13a2d90c/analysis/
Detection ratio:  20 / 50
First submission:  2014-01-23 10:29:05 GMT

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.