2014-07-19 - NUCLEAR EK FROM 79.133.219.121 - 141320960-6.EASYPOTENT.CO.VU

ASSOCIATED FILES:

 

PCAPS AND MALWARE:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC FROM THE VM:

 

POST-INFECTION TRAFFIC FROM MALWR.COM SANDBOX ANALYSIS:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-19-Nuclear-EK-flash-exploit.swf
File size:  5.8 KB ( 5897 bytes )
MD5 hash:  765f1c63fb0747125e8391392c0e078e
Detection ratio:  4 / 53
First submission:  2014-07-19 00:44:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0c7ea628113061150d1277afce771ace591c57f7721e11f78a8c606cf6cbbe94/analysis/

 

JAVA EXPLOIT:

File name:  2014-07-19-Nuclear-EK-java-exploit.jar
File size:  11.1 KB ( 11367 bytes )
MD5 hash:  b21c14530f4ac483258642d29baa806f
Detection ratio:  1 / 53
First submission:  2014-07-18 20:06:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6d69158e1bebf5fd202ea40c2d70dea6a0c033843df04d9d04d417d62769504/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-19-Nuclear-EK-malware-payload.exe
File size:  96.0 KB ( 98312 bytes )
MD5 hash:  3cbc20e8ce4b4fb47da3cc1c963d41b3
Detection ratio:  1 / 52
First submission:  2014-07-19 00:43:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/957a25e2023721a17fa86d8db8f6985f2817e48bb3fb0dd8efb052c40424aa9a/analysis/
Malwr link:  https://malwr.com/analysis/YjFkYzBiY2Q0ZGVhNGQ1YWJiN2Q5NDFmODhlN2QzZGM/

 

FOLLOW-UP MALWARE FROM MALWR.COM ANALYSIS:

File name:  exe.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  72353b5bd718a4abd964b2612e3dd01d
Detection ratio:  2 / 53
First submission:  2014-07-19 01:28:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e5ad7bec18337e46f45cb67a62f853b5bc31af86ef950c0715d476a9cd7489e4/analysis/
Malwr link:  https://malwr.com/analysis/ZWI0NzQxMmM1YzdmNDI2OThjZjFiYjE1MDRiMmY3MzE/


NOTE:  This is Rerdom, normally saved to the infected computer as UpdateFlashPlayer_[something].exe in the user's AppData\Local\Temp directory.

 

SNORT EVENTS FROM THE VM INFECTION TRAFFIC

 

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not counting ET INFO or ET POLICY signatures):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.