2014-05-13 - NUCLEAR EK FROM 37.157.250.10 - FULL.409CREMATE.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

FAKE IE UPDATE PAGE AND REDIRECTS:

 

NUCLEAR EK:

 

POST-INFECTION CALLBACK:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-05-13-Nuclear-EK-java-exploit.jar
File size:  12.7 KB ( 12955 bytes )
MD5 hash:  92aa1ca351c9ada3a219cd8c9c91ba24
Detection ratio:  4 / 51
First submission:  2014-05-12 13:13:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0a629bb1a66fc3527d979df4229cb0f3c308543398e99033845d6a807be6c791/analysis/

 

MALWARE PAYLOAD:

File name:  2014-05-13-Nuclear-EK-malware-payload.exe
File size:  79.0 KB ( 80896 bytes )
MD5 hash:  b58e69c9d3887b3665339eab4b9cfd36
Detection ratio:  5 / 52
First submission:  2014-05-13 04:22:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b3a9a97024c37222b76602f5f732f8dd822071049dfceb10e046cb83ef529724/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM 2014-05-08 TRAFFIC

gin.mapdiv.net - GET /sd/apps/fusionx/0.0.4.html?aff=2040-2041

 

gin.mapdiv.net - GET /sd/apps/fusionx/0.0.4.js   --   obfuscated javascript points to ad.convfunnel.com

 

ad.convfunnel.com - GET /fusionx/www/delivery/afr.php?zoneid=1225&cb=79576211594   --   iframe points to faint.healthylivingclinics.com

 

faint.healthylivingclinics.com - GET /assets/js/jquery-1.4.4.min.js?ver=1.78.4939   --   another iframe points to Nuclear EK

 

Nuclear EK sends Java exploit:

 

Malware payload after successful Java exploit:

 

Post-infection callback traffic, ET TROJAN Fareit/Pony Downloader Checkin 2:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.