2014-03-27 - NUCLEAR EK

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-27-Nuclear-EK-java-exploit.jar
File size:  15.1 KB ( 15476 bytes )
MD5 hash:  c50c70d94ba158f9dc2957a510e7e46f
Detection ratio:  2 / 51
First submission:  2014-03-27 05:37:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e02a1a31b9ad2549d79e389245e117da2ed4639505beb39199e487c7a2400320/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-27-Nuclear-EK-malware-payload.exe
File size:  81.5 KB ( 83456 bytes )
MD5 hash:  1147c5c97cc5d2f38806fa2ae6257e23
Detection ratio:  5 / 51
First submission:  2014-03-27 05:37:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/993c84131e262ea5d496791ebc926d6854ee52523cda045396d33ff9a4a8421f/analysis/
Malwr link:  https://malwr.com/analysis/MGZjZjA5MWU5MjgyNDMyOThiODU3ZjNlNGI5ZGZhODA/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in page from the compromised server - andresandim.com/

 

Redirect - jscriptmod.com/webjs

 

Nuclear EK delivers Java exploit - 1159407037-6.summernice-best.ru/1395876720.jar

 

Javaexploit delivers EXE payload - 1159407037-6.summernice-best.ru/f/1395876720/2

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.