2014-09-03 - NUCLEAR EK FROM 80.85.84.142 - GIODULDER.LAURENTIUCOZMA.RO

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT (CVE-2014-0515):

File name:  2014-09-03-Nuclear-EK-flash-exploit.swf
File size:  5.5 KB ( 5597 bytes )
MD5 hash:  d78be8b785e4e2db995deb97a472e7ef
Detection ratio:  4 / 51
First submission:  2014-09-02 16:58:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f0c59dc047d51ffee06c73d1fbd868a7fe51b5697e2fe1dc4a518c105f25e0bc/analysis/

 

PDF EXPLOIT:

File name:  2014-09-03-Nuclear-EK-pdf-exploit.pdf
File size:  9.5 KB ( 9723 bytes )
MD5 hash:  730d47cff6fd5caa1dd4e63068ad632c
Detection ratio:  2 / 52
First submission:  2014-09-03 13:18:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eba46e4247f32fca3a54918c3e4f71657d56c64098e3ed828136922cedca1bee/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-03-Nuclear-EK-malware-payload.exe
File size:  120.0 KB ( 122880 bytes )
MD5 hash:  0b86e2435331e445bbd1d0e000564c5e
Detection ratio:  4 / 54
First submission:  2014-09-03 13:43:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/73ccaffd11447f6d08860c5a9d2fa2313d0b1410ddfd8a7d17e7b95335540d2b/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in file from compromised website:

 

Redirect pointing to Nuclear EK:

 

Win32/Tofsee.AX connectivity check to google.com (note the user agent):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.