2014-08-01 - NUCLEAR EK FROM 85.159.213.246 - PARALETAS.PATMOS-STAR.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

REDIRECT (REPEATED):

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

Also saw encrypted TCP streams to the following IP addresses:

Information on these callback IP addresses:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-08-01-Nuclear-EK-java-exploit.jar
File size:  11.2 KB ( 11474 bytes )
MD5 hash:  8851958384b1cbb376e6c4c25aced05a
Detection ratio:  0 / 54
First submission:  2014-08-01 02:29:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c737abdecbf3b7856a5eebda668af46b95a469ea4c8987e9fa2304cade48d121/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-01-Nuclear-EK-malware-payload.exe
File size:  158.9 KB ( 162744 bytes )
MD5 hash:  0e2a570edd577f27ba711afd9557f718
Detection ratio:  3 / 53
First submission:  2014-08-01 02:30:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a9dd22ce9baf671e1a2b07203e237fdbb21f9f8d509b3c1157f350b445e7dd47/analysis/
Totalhash link:  http://totalhash.com/analysis/0e962aab55a923dbde1afae9f7c29c0974126674

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.