2014-06-26 - NUCLEAR EK FROM 87.117.255.187 - DEVELOPERS.TRAVELFORWARD.DE

ASSOCIATED FILES:

 

CHAIN OF EVENTS

COMRPOMISED WEBSITE AND REDIRECT CHAIN:

NUCLEAR EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-06-27-Nuclear-EK-java-exploit.jar
File size:  12.2 KB ( 12541 bytes )
MD5 hash:  bf9273261f0af0e4e84ee164330280a3
Detection ratio:  11 / 53
First submission:  2014-06-26 13:25:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b0b092cf6adbb16c5f7a8ad79bc6b7b8131f8d27bc1059a84b2ae7788eb7ee0d/analysis/

 

MALWARE PAYLOAD 1 OF 2

File name:  2014-06-27-Nuclear-EK-malware-payload-1-of-2.exe
File size:  161.0 KB ( 164864 bytes )
MD5 hash:  3c66056f2d105df48ad95f807dee19c5
Detection ratio:  15 / 54
First submission:  2014-06-27 07:36:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/685807e7c312dbf76c510f34ead4f66aa0677b739d042638c3f86404e1794cba/analysis/
Malwr link:  https://malwr.com/analysis/MjZjODAxYzM0ZGI3NDNjM2E3ZTgyZjlhMTdkZDVhNzQ/

 

MALWARE PAYLOAD 2 OF 2

File name:  2014-06-27-Nuclear-EK-malware-payload-2-of-2.exe
File size:  135.5 KB ( 138752 bytes )
MD5 hash:  4b2d91d1f44f1edc3a339a85bfa4ed1c
Detection ratio:  17 / 54
First submission:  2014-06-29 01:24:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/280cb7b99611a06ab3f5a39b2e9e4e408c835d5073e48dc6a22fa775975e6181/analysis/
Malwr link:  https://malwr.com/analysis/YzVkMjMxOTg2NDllNDhiZjhmMzUzOGM5ZGM1MWZjN2I/

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website pointing to redirect:

 

Redirect pointing to Nuclear EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

p>Click here to return to the main page.