2014-08-12 - NUCLEAR EK FROM 94.229.64.231 - INTL.ECHRISTIANCARE.CO

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

MALVERTISING REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-08-12-Nuclear-EK-flash-exploit.swf
File size:  5.5 KB ( 5614 bytes )
MD5 hash:  a1465ece32fa3106aa88fd666ebf8c78
Detection ratio:  3 / 47
First submission:  2014-08-08 07:20:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e165b73eb2f84f5fd5e85e4aecdfea947e51a0556d70f08924e8f1c28fd1079a/analysis/

 

JAVA EXPLOIT

File name:  2014-08-12-Nuclear-EK-java-exploit.jar
File size:  12.1 KB ( 12396 bytes )
MD5 hash:  a93f603a95282b80d8afd3f23c4d4889
Detection ratio:  3 / 50
First submission:  2014-08-12 14:21:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/367e0eb7dba190f23666e2bc89baf5d2f79460a98cf19a5155f7c4b7f1f5c864/analysis/

 

PDF EXPLOIT

File name:  2014-08-12-Nuclear-EK-pdf-exploit.pdf
File size:  9.5 KB ( 9770 bytes )
MD5 hash:  19ed55ef17a49451d8052d0b51c66239
Detection ratio:  2 / 54
First submission:  2014-08-12 14:22:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7ae6cce3edf2f690fbbba2c4da2b6674abb386ff5d3c639b9214fb51fac62879/analysis/

 

MALWARE PAYLOAD

File name:  2014-08-12-Nuclear-EK-malware-payload.exe
File size:  102.5 KB ( 104960 bytes )
MD5 hash:  8bce8a59f9e789befb9d178c9a03fb66
Detection ratio:  1 / 53
First submission:  2014-08-12 14:22:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/355546c6bb8fde63f5cfdd663996df3222aa154f06d33fe4b81c2d5085166ee1/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Nuclear EK landing page, with the malvertisement referer:

 

Nuclear EK sends the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.