[ PART 3 OF 4 ]     [ OVERVIEW ]

2014-02-03 PART 4 OF 4 - NUCLEAR EK DELIVERS TROJAN DROPPER

PCAP AND MALWARE

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  1391381880.jar
File size:  14.3 KB ( 14676 bytes )
MD5 hash:  2ce73f15f4b9aec806bc2f490b66bd35
Detection ratio:  2 / 50
First submission:  2014-02-03 18:04:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/44369e9d68d5cdbb017ebae7117f0647a60f86b6b5efc27f10c2e2a1cb1c05da/analysis/

 

EXE PAYLOAD

File name:  2.exe
File size:  99.9 KB ( 102259 bytes )
MD5 hash:  27a2850e82cb839f28ab5d7731a453e2
Detection ratio:  21 / 50
First submission:  2014-02-02 02:26:43 UTC
VirusTotal link: https://www.virustotal.com/en/file/6433ab0b700f418f2b2be31f3a3e1437713171bd5706e91902d2ccc594ecf380/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR NUCLEAR EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.topnewszone.com/

 

Redirect - my-anxiety-and-panic-attacks.com/wp-content/files/

 

Nuclear EK domain delivers Java exploit - tbbq0.golferboomerang.pw/3531364735/1391381880.jar

 

Nuclear EK domain delivers EXE payload - tbbq0.golferboomerang.pw/f/1391381880/3531364735/2

 

FINAL NOTES

Once again, here are links for a ZIP file of the traffic and ZIP file of the associated malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.  Click here to return to the 2014-02-03 overview.