2014-08-17 - NUCLEAR EK FROM 176.58.126.215 - GEGOSIMA.RUBIAGURU.COM.AR

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-17-Nuclear-EK-flash-exploit.swf
File size:  5.6 KB ( 5723 bytes )
MD5 hash:  f608b6839ec9e4b281de55b364ede860
Detection ratio:  3 / 54
First submission:  2014-08-15 07:19:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ab0eeb8157f87d3d24c5c2054855c59470ff4c1ba80fe9cc1e41b25c0c07d88/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-17-Nuclear-EK-java-exploit.jar
File size:  12.0 KB ( 12328 bytes )
MD5 hash:  7f52ae69c45a24a0c181b9263757794b
Detection ratio:  2 / 54
First submission:  2014-08-17 02:02:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a071b9a8016fdfe1e6bdbe072cb4322f2ecc65c808703580df81defabc505f33/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-17-Nuclear-EK-malwre-payload.exe
File size:  200.0 KB ( 204800 bytes )
MD5 hash:  8b659534db92a7986dd44286e631809b
Detection ratio:  1 / 54
First submission:  2014-08-17 02:02:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/61f5872562f36685b1e5ab09f866b067778af922452a8a13260ec7765c2e24a3/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Every HTTP GET request javascript from the web site returned files that had a link to the redirect:

 

Here's the redirect pointing to the Nuclear EK landing page:

 

An example of the pharmacy spam (not included in the pcap):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.