2014-05-16 - NUCLEAR EK FROM 37.157.250.13 - HOSPITALITY.MEDICALBODYDONATIONS.ORG

ASSOCIATED FILES:

SIMILAR BLOG ENTRIES:

NOTES:

 

CHAIN OF EVENTS

FAKE IE UPDATE PAGE AND REDIRECTS:

NUCLEAR EK:

POST-INFECTION CALLBACK FROM SECOND MALWARE PAYLOAD:

NOTES:

HTTP GET REQUESTS FROM MALWR.COM ANALYSIS OF FIRST MALWARE PAYLOAD:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT (PROBABLY CVE-2012-1723):

File name:  2014-05-16-Nuclear-EK-java-exploit.jar
File size:  18.1 KB ( 18559 bytes )
MD5 hash:  785ab9c37cabcc12ac63b68dfbbcb4f8
Detection ratio:  6 / 52
First submission:  2014-05-16 21:26:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/995daaef46943b0a97f4b610c95ff3641bcab05d2e32486e3b0852c4a09618c4/analysis/

 

FIRST MALWARE PAYLOAD:

File name:  2014-05-16-Nuclear-EK-malware-payload-01.exe
File size:  138.0 KB ( 141312 bytes )
MD5 hash:  fa0f8efcc88449e77d192d16146fcf1e
Detection ratio:  1 / 53
First submission:  2014-05-16 21:27:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e01053c8ab57e484fbabcd032d594183af377cc4ba98e3f245e26875e5d8306f/analysis/
Malwr link:  https://malwr.com/analysis/MDIzZTkwZmFkZjVmNDI2YWEzNWVjMGExODU3MzMwOGE/

 

SECOND MALWARE PAYLOAD:

File name:  2014-05-16-Nuclear-EK-malware-payload-02.exe
File size:  131.5 KB ( 134656 bytes )
MD5 hash:  0da2099e51e4712042e6c837170eb631
Detection ratio:  2 / 53
First submission:  2014-05-16 21:27:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/821d6301728763570cf0fc060b552a67ac95a9871bf34197f02becc13878400f/analysis/
Malwr link:  https://malwr.com/analysis/ZDI2YTdiMGJlMjk1NDRmNzkzZTk0YWZlNzIyNGRmOWE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Sourcefire VRT events:

Emerging Threats events:

 

HIGHLIGHTS FROM 2014-05-08 TRAFFIC

gop.findopt.net - GET /sd/apps/fusionx/0.0.4.html?aff=2040-2141

 

gop.findopt.net - GET /sd/apps/fusionx/0.0.4.js   --   obfuscated javascript points to ad.convfunnel.com

 

ad.convfunnel.com - GET /fusionx/www/delivery/afr.php?zoneid=1786&cb=16000418092   --   iframe points to hbomb.agentlyusedhomestore.com

 

hbomb.agentlyusedhomestore.com - GET /assets/js/jquery-1.4.4.min.js?ver=4.47.5038   --   another iframe points to Nuclear EK

 

Nuclear EK sends Java exploit:

 

Malware payload after successful Java exploit:

 

Nuclear EK delivers MSIE exploit CVE-2013-2551:

 

Malware payload after successful MSIE exploit:

 

Post-infection callback traffic, ET TROJAN Fareit/Pony Downloader Checkin 2 (Emerging Threats) or MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (Sourcefire VRT):

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.