2014-08-06 - NUCLEAR EK FROM 94.229.64.227 - IBIZ.COUNSELINGMOMENTS.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

REDIRECT THAT LED TO NUCLEAR EK:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-08-06-Nuclear-EK-java-exploit.jar
File size:  11.9 KB ( 12221 bytes )
MD5 hash:  25b3f029c3327cdec54fc719d37403ba
Detection ratio:  0 / 51
First submission:  2014-08-06 23:41:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0f5fafc68f2ba70d7289a57dfe49a6a8154906e29024c9fdd3b28390b39bb96a/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-06-Nuclear-EK-malwre-payload.exe
File size:  200.0 KB ( 204800 bytes )
MD5 hash:  609cc899a3ed8f23c54981137bb80cf3
Detection ratio:  0 / 54
First submission:  2014-08-06 23:41:54 UTC
VirusTotal link:  hhttps://www.virustotal.com/en/file/2499b98617f7e76514be57fa9fb15a48d2adc5e0beac6d68f845a719cd32b1be/analysis/

 

FOLLOW-UP MALWARE:

File name:  UpdateFlashPlayer_90bb0736.exe
File size:  164.0 KB ( 167936 bytes )
MD5 hash:  b20ebff04cf7a6c7cc24873183e1ca2f
Detection ratio:  21 / 54
First submission:  2014-08-06 18:18:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9ae4a4ea4ae284251996f62916dde00663c81ef5549f81b8ca732e6daa23b598/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.