2014-04-09 - NUCLEAR EK FROM 142.4.194.92 - FOYILLEAVRT.RU

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE

REDIRECT

NUCLEAR EK

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-04-09-Nuclear-EK-java-exploit.jar
File size:  18.2 KB ( 18643 bytes )
MD5 hash:  c762b6ba4f560692b6b84ac212cd3ec2
Detection ratio:  11 / 51
First submission:  2014-04-08 19:09:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c776c5f3b979233c8466fc521e38271bbd59081538e126273fe1a75a228bd25d/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-09-Nuclear-EK-malware-payload.exe
File size:  130.9 KB ( 134080 bytes )
MD5 hash:  8033e7edf5af48cf64bbb07f95388582
Detection ratio:  12 / 51
First submission:  2014-04-09 09:30:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/58e15a766562f52a1fa0a8f7944519e9a702eb078db02ac53b149a4881030145/analysis/
Malwr link:  https://malwr.com/analysis/YjM5NjZhZGQ5ZTY4NDRiMWFlYmNiZjI5MGZlZDdhMzc/

 

FILES AS FOUND IN THE APPDATA\LOCAL\TEMP FOLDER

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Example of malicious script appended to every javascript file from the infected website:

 

Redirect:

 

Nuclear EK delivers Java exploit CVE-2012-1723:

 

Nuclear EK delivers MSIE exploit CVE-2013-2551:

 

Java exploit delivers EXE payload:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.