2014-06-25 - NUCLEAR EK FROM 185.14.31.37 - 4607C15APBMYK.WEALEH.UNI.ME - 2453099568-6.WEALEH.UNI.ME

ASSOCIATED FILES:

NOTES:

 

Today, a search on Clean MX showed 1,104 URLs from askmen.com have been reported as bad since 2012-12-31.  These were quickly resolved, but new ones kept getting reported.  Today, a visit to www.askmen.com generated Nuclear EK traffic that delivered Shylock malware.

 

ASSOCIATED DOMAINS

INFECTION CHAIN:

DNS SERVERS USED BY THE MALWARE:

DNS QUERIES ISSUED BY THE MALWARE:

IP ADDRESSES SEEN IN THE POST-INFECTION HTTPS TRAFFIC:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT CHAIN:

NUCLEAR EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT   ( CVE-2014-0515 )

File name:  2014-06-25-Nuclear-EK-flash-exploit.swf
File size:  4.3 KB ( 4359 bytes )
MD5 hash:  76a24b09e979ae69523e04a75eb2ded4
Detection ratio:  5 / 54
First submission:  2014-06-20 11:17:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7cf71bbc539f953b33de154576cec5622d6abec897008253fd5243cde470b636/analysis/

 

JAVA EXPLOIT   ( CVE-2013-2465 )

File name:  2014-06-25-Nuclear-EK-java-exploit.jar
File size:  12.2 KB ( 12520 bytes )
MD5 hash:  14bb3b86bb7060017c8182c89db65280
Detection ratio:  6 / 54
First submission:  2014-06-25 00:43:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5708c2d127392535fac67535d14507a78729d041068fd27cca93ab8b335b96f3/analysis/

 

MALWARE PAYLOAD   ( CAPHAW / SHYLOCK )

File name:  2014-06-25-Nuclear-EK-malware-payload.exe
File size:  452.0 KB ( 462848 bytes )
MD5 hash:  2cf0ea20417e794f7f2f1a1e471ffd12
Detection ratio:  3 / 54
First submission:  2014-06-25 19:32:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d25ef0e50161b138fb26b46bd939254389ac618163888e89423150807c296484/analysis/
Malwr link:  https://malwr.com/analysis/ODdlMTYyYjkyNDMxNGQ0Yzk2OGU1YzI3NTgxMmU3Y2Q/

 

SNORT EVENTS

NOTE: This is from Sguil on Security Onion using the default Emerging Threats open ruleset.  I'm still working through some issues using the ET PRO and Sourcefire VRT rulesets on Security Onion, so I ask your patience while I work that out.

 

HIGHLIGHTS FROM THE TRAFFIC

Step 1 - from the www.askmen.com index page to malicious javascript at www.askmen.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js

 

Step 2 - from the malicious javascript at www.askmen.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js to
stat.litecsys.com/d2.php?ds=true&dr=1201283312

 

Step 3 - from stat.litecsys.com/d2.php?ds=true&dr=1201283312 to
static.sumibi.org/pop2.php?acc=%0Ar%B5%0Fo%3A%18%F21%2F%A5%EB%7B%EBGJ%23%7Ed%BE3%8D%D4T&nrk=3040270654

 

Step 4 - from static.sumibi.org/pop2.php?acc=%0Ar%B5%0Fo%3A%18%F21%2F%A5%EB%7B%EBGJ%23%7Ed%BE3%8D%D4T&nrk=3040270654 to
the Nuclear EK landing page at 4607c15apbmyk.wealeh.uni.me

 

Nuclear EK delivers CVE-2014-0515 Flash exploit:

 

Nuclear EK delivers Java exploit:

 

EXE payload sent after successful Java exploit:

 

Some of the post-infection traffic from the PCAP in Wireshark:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.