2014-06-09 - NUCLEAR EK FROM 185.10.57.167 - BT.REALWESTCHESTERCOUNTY.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

NUCLEAR EK:

POST-INFECTION TRAFFIC:

CLICKFRAUD TRAFFIC BEGINS:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-06-09-Nuclear-EK-java-exploit.jar
File size:  11.9 KB ( 12167 bytes )
MD5 hash:  fcde039872d8596bc8304cbebb139b93
Detection ratio:  1 / 51
First submission:  2014-06-09 08:16:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d14526ffae471a7910f4c93ff327ca64a154b84f3cf061b8ce3b169de01b8236/analysis/

 

MALWARE PAYLOAD (1 OF 2)

File name:  2014-06-09-Nuclear-EK-malware-payload-01.exe
File size:  151.3 KB ( 154960 bytes )
MD5 hash:  28af2419726b96e9f7a43212f481b371
Detection ratio:  5 / 52
First submission:  2014-06-09 15:11:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f02792d0cabb7a6a86486738330cddace48ac2b3ced21c86a11f4331a08b24f1/analysis/

 

MALWARE PAYLOAD (2 OF 2)

File name:  2014-06-09-Nuclear-EK-malware-payload-02.exe
File size:  134.0 KB ( 137216 bytes )
MD5 hash:  997c01baf8c7b664f214ce0d4dfaee97
Detection ratio:  4 / 52
First submission:  2014-06-09 15:12:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a567448233d252a53a4d546f1e33047f8cd3971d3f0aeac56086d04ef25a2ee7/analysis/

 

POST-INFECTION MALWARE

File name:  exe.exe
Stored in the user's AppData\Local\Temp directory as: UpdateFlashPlayer_88fd1df4.exe
File size:  146.0 KB ( 149512 bytes )
MD5 hash:  e548e7e3a65dd40a781815de4e381f41
Detection ratio:  11 / 52
First submission:  2014-06-09 07:29:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/88b092e3328babee786b01796fc80c1f893411892a88437a4592a13b660bd741/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.