2014-05-26 - NUCLEAR EK FROM 192.243.115.146 - B631C84CiWS0DL.TEMENOPBG.RU & 3655320711-4.TEMENOPBG.RU

PCAP AND MALWARE:

SIMILAR BLOG ENTRIES:

NOTES:

 

CHAIN OF EVENTS

FAKE IE UPDATE PAGE AND REDIRECTS:

NUCLEAR EK:

POST-INFECTION CALLBACK FROM SECOND MALWARE PAYLOAD:

CLICK FRAUD TRAFFIC BEGINS:

ADDITIONAL NOTES:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-05-26-Nuclear-EK-java-exploit.jar
File size:  10.2 KB ( 10419 bytes )
MD5 hash:  443ce6291f701418353db118f6d08d27
Detection ratio:  0 / 52
First submission:  2014-05-26 03:36:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b9eecbf110a75906eb89cb276edfe4ff731a889866849aafd43b9de84cf06e2d/analysis/

 

MALWARE PAYLOAD 1 OF 2

File name:  2014-05-26-Nuclear-EK-malware-payload-01.exe
File size:  208.7 KB ( 213736 bytes )
MD5 hash:  a929660981a45d8c349df13727ccd807
Detection ratio:  3 / 52
First submission:  2014-05-26 03:37:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a13a3362eab8fd1c24aad3c187cff0442a7230d518bf28c39e78fca7d691e78f/analysis/
Malwr link:  https://malwr.com/analysis/NGM1NmNhNmJmMTkxNDk5Y2E1YWM3Y2M5ODVlOWNlMDI/

 

MALWARE PAYLOAD 2 OF 2

File name:  2014-05-26-Nuclear-EK-malware-payload-02.exe
File size:  181.5 KB ( 185856 bytes )
MD5 hash:  6d9fd705920d01fa643b40512436f1aa
Detection ratio:  4 / 53
First submission:  2014-05-26 03:42:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4ee55d2ff5ab6b27bd89524e8d53948ab31ccc2be9776bc6e5b8bb2c22a4bee5/analysis/
Malwr link:  https://malwr.com/analysis/MzNlMWQ3OTMxZjY0NDNiNGI3YWNhYmI0MTQwNjhlMWM/

 

POST-INFECTION MALWARE DOWNLOADED

File name:  UpdateFlashPlayer_070536b5.exe
File size:  198.3 KB ( 203065 bytes )
MD5 hash:  e9897f59508fe11860a749c46114a27a
Detection ratio:  10 / 52
First submission:  2014-05-26 03:43:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d3a3a48fe63445305fe8fd2151cd53f6411b54298bf51d86e54afe2648ce8cb/analysis/
Malwr link:  https://malwr.com/analysis/MzExY2I0ZmIyMTQzNDcwYTg3YjM5ZTRjM2Q2YzllNjQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion):

Emerging Threats ruleset

Sourcefire VRT ruleset

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.