2014-04-10 - NUCLEAR EK FROM 198.50.253.235 - TREYWOO.RU

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE

REDIRECT CHAIN

NUCLEAR EK

POST-INFECTION CALLBACK

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-04-10-Nuclear-EK-java-exploit.jar
File size:  18.5 KB ( 18969 bytes )
MD5 hash:  6cd120078a8e3df2f1b2c9a9e914359b
Detection ratio:  10 / 51
First submission:  2014-04-11 02:13:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/94b9305b51f5bc3afc5e3ad11a0f478be71210cadf1a9d73ef0c712343c57861/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-10-Nuclear-EK-malware-payload.exe
File size:  152.0 KB ( 155648 bytes )
MD5 hash:  d7ee08417413a6e0e64ab188e1062250
Detection ratio:  18 / 51
First submission:  2014-04-10 17:42:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cb5eb77069418056e78ab7c8ff94d16f9330a30d43602e0e99d6c8f1f37b4dd3/analysis/
Malwr link:  I submitted the EXE to Malwr.com, but after an hour, the analysis is still pending.

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript from index page of infected website:

 

First redirect domain:

 

Second redirect domain:

 

Nuclear EK delivers Java exploit CVE-2012-1723:

 

Nuclear EK delivers MSIE exploit CVE-2013-2551:

 

Java exploit delivers EXE payload:

 

Post-infection callback traffic:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.