2014-04-07 - NUCLEAR EK FROM 142.4.194.72 - DYSTERIEW.RU

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT - CVE-2012-1723

File name:  2014-04-07-Nuclear-EK-java-exploit.jar
File size:  17.8 KB ( 18181 bytes )
MD5 hash:  f2995cde10105e5af7cbc9f845db1f9b
Detection ratio:  4 / 51
First submission:  2014-04-07 01:46:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eef49038ab4e94b69c0911b5e60cb32e8afd2fe24eba0a6af28fa0c9a1a089b9/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-07-Nuclear-EK-malware-payload.exe
File size:  138.4 KB ( 141672 bytes )
MD5 hash:  79c5678d3b942d36084813fdbcac60bc
Detection ratio:  21 / 51
First submission:  2014-04-05 08:13:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/07208c8ca135edcc4ea28f3360a2a46a4e9d9835633c1366478246cf3ea4ad30/analysis/
Malwr link:  https://malwr.com/analysis/Yzk4ZTgxMDdlMmI1NGIxOTk5OGQyOTdmYWM1MDkzN2Q/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

First HTTP GET request to the Nuclear EK:

 

Nuclear EK delivers Java exploit CVE-2012-1723:

 

Java exploit CVE-2012-1723 delivers EXE payload:

 

Nuclear EK delivers MSIE exploit CVE-2013-2551:

 

MSIE exploit CVE-2013-2551 delivers the same EXE payload (obfuscated or encrypted this time):

 

Post-infection callback traffic:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.