2014-08-15 - NUCLEAR EK FROM 178.32.92.105 - MAP.SWEETFROGSALISBURY.NET

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT CHAIN:

NUCLEAR EK:

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-08-25-Nuclear-EK-flash-exploit.swf
File size:  6.8 KB ( 6969 bytes )
MD5 hash:  80fffd7a822ccb3373fc75947d634163
Detection ratio:  2 / 55
First submission:  2014-08-25 17:53:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/85cfbd9d56ffd6d798d454f05b80e42e468ce288dd5dfe2ffc69d88315426190/analysis/

 

JAVA EXPLOIT

File name:  2014-08-25-Nuclear-EK-java-exploit.jar
File size:  12.4 KB ( 12696 bytes )
MD5 hash:  726cd4b61a746939f8eeb2e2c9ca0df2
Detection ratio:  2 / 55
First submission:  2014-08-25 17:53:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0145ddd8707d82716092cbc0347ef6b8610ac52a694f3e852b3f5192b30efe09/analysis/

 

MALWARE PAYLOAD

File name:  2014-08-25-Nuclear-EK-malware-payload.exe
File size:  134.5 KB ( 137728 bytes )
MD5 hash:  9963e87942d5368ab8ce0fea32266e08
Detection ratio:  2 / 55
First submission:  2014-08-25 17:53:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1ae830c3671031dd1ac3d31df01e6e4e3147049a54c7c06e9badd8851515f7b4/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious ad traffic from compromised website with iframe pointing to redirect:

 

Redirect pointing to the Nuclear EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.