2014-06-02 - NUCLEAR EK FROM 93.189.40.43 - GROZAM.HIPERJOGOS.INFO

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

NUCLEAR EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-02-Nuclear-EK-flash-exploit.swf
File size:  9.3 KB ( 9525 bytes )
MD5 hash:  0e4fdee8dfd5b482541d3fd8c3ada0d4
Detection ratio:  1 / 48
First submission:  2014-04-24 13:47:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4788cca43f06752bd6d52978cbf8058fa4a3aeb76bc5242ee83da4223ec2de13/analysis/

 

JAVA EXPLOIT

File name:  2014-06-02-Nuclear-EK-java-exploit.jar
File size:  11.3 KB ( 11599 bytes )
MD5 hash:  807ab697e5b5c1f716db966325842108
Detection ratio:  3 / 53
First submission:  2014-05-30 13:45:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c43dbbadd79f2c50f67bfc265825fbac3887f6840b1dbb2e2556148f597d80c7/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-02-Nuclear-EK-malware-payload.exe
File size:  136.0 KB ( 139264 bytes )
MD5 hash:  72f2c27f180c6998e36ff67a1c841d7c
Detection ratio:  3 / 52
First submission:  2014-06-02 04:07:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/09d58f7370eaa06381032ab2c52f2c995553f2023196d834d2288ce2779c242a/analysis/
Malwr link:  https://malwr.com/analysis/MjNkMjQ5NDFkNzg4NGJhMWFhZTRmMDA5YTY1NWEzMDY/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats ruleset:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in java file from compromised website:

 

Redirect:

 

Nuclear EK delivers Flash exploit:

 

EXE payload sent after successful Flash exploit:

 

Nuclear EK delivers CVE-2013-2551 MSIE exploit:

 

EXE payload sent after successful CVE-2013-2551 MSIE exploit:

 

Nuclear EK delivers Java exploit:

 

EXE payload sent after successful Java exploit:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.