2014-09-04 - NUCLEAR EK FROM 80.85.84.188 - AFRIDUN.AUTOTH.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-04-Nuclear-EK-flash-exploit.swf
File size:  5.5 KB ( 5597 bytes )
MD5 hash:  d78be8b785e4e2db995deb97a472e7ef
Detection ratio:  8 / 51
First submission:  2014-09-02 16:58:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f0c59dc047d51ffee06c73d1fbd868a7fe51b5697e2fe1dc4a518c105f25e0bc/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-04-Nuclear-EK-java-exploit.jar
File size:  12.2 KB ( 12515 bytes )
MD5 hash:  4ac8be8590713c21cdca3863e00a735a
Detection ratio:  7 / 55
First submission:  2014-09-04 08:52:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ceca517017314a67cbba70ffaa2f75db68eb36b7c8a904929dd02fcf83a5b929/analysis/

 

PDF EXPLOIT:

File name:  2014-09-04-Nuclear-EK-pdf-exploit.pdf
File size:  9.0 KB ( 9242 bytes )
MD5 hash:  9f11977ded2afd598a875b079c48d03c
Detection ratio:  1 / 55
First submission:  2014-09-04 15:22:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8ff2d8cb6239af2ba96bf03d2278ba467b88dcbe669072c9b0ed230b749b75d0/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-04-Nuclear-EK-malware-payload.exe
File size:  116.0 KB ( 118784 bytes )
MD5 hash:  7e8a2392e95b455700f005cc9d58c1c7
Detection ratio:  2 / 55
First submission:  2014-09-04 14:35:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/382d35fffaaa81fbc7236ed6491739b640510a34368e1c741eb34f7415ae932a/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

Redirect pointing to Nuclear EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.