2014-07-04 - NUCLEAR EK ON 5.135.211.48 - EDC.VIRTUALTRAVELEVENTS.NET

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

REDIRECT CHAIN LEADING TO NUCLEAR EK:

NUCLEAR EK:

 

PCAP FROM SANDBOX ANALYSIS OF THE MALWARE:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-07-04-Nuclear-EK-java-exploit.jar
File size:  11.1 KB ( 11365 bytes )
MD5 hash:  3bbf5967da5b854ae3103722e69f5437
Detection ratio:  2 / 54
First submission:  2014-07-04 01:08:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d57f9b53c89bfa09272eb92e7a6d238a9b35c6db8910195d82dc5604b348f2fe/analysis/

 

MALWARE PAYLOAD

File name:  2014-07-04-Nuclear-EK-malware-payload.exe
File size:  132.5 KB ( 135680 bytes
MD5 hash:  bf523d17c9ee2fffd0dae1431a729927
Detection ratio:  3 / 54
First submission:  2014-07-04 01:08:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e2adbf56f9aee4711b296eb0ce62afda1e97235ae95fb16d511e8629d6850b8e/analysis/
Malwr link:  https://malwr.com/analysis/MmQwMGMzMzdkYmRkNGEwN2EwZDBiN2I4YjgzZGU4MWY/

 

FOLLOW-UP MALWARE

File name:  2014-07-04-Nuclear-EK-post-infection-malware.exe
File size:  165.0 KB ( 168968 bytes )
MD5 hash:  0bdf4a4c27fe59b370e4cce0db3bb502
Detection ratio:  10 / 54
First submission:  2014-07-04 01:28:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e14f03337a7d9963a56d5f3ca7dca15cb8d149c96da03f8707b400a1a4ee8220/analysis/
Malwr link:  https://malwr.com/analysis/NmE0ZGVlNDE1ZWZmNDk1MzgzYzExOTNmMGM0MzcyZDQ/

 

SNORT EVENTS FROM THE INITIAL INFECTION

Emerging Threats and ETPRO rulesets (not including ET INFO or ET POLICY signatures):

Sourcefire VRT ruleset:

NOTE: These Snort events were taken from Sguil on Security Onion

 

SNORT EVENTS FROM SANDBOX ANALYSIS OF THE MALWARE

Emerging Threats and ETPRO rulesets (not including ET INFO or ET POLICY signatures):

Sourcefire VRT ruleset:

NOTE: These Snort events were taken by reading the PCAP using Snort 2.9.6.0 on Ubuntu 14.04 LTS.  This setup has the same rulesets used on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.