2014-09-08 - NUCLEAR EK FROM 151.236.216.177 - BUBLEROSKA.SMART-SIMCHAH.COM

ASSOCIATED FILES:

 

NOTES:

 

PREVIOUS BLOG ENTRIES ON NUCLEAR EK FROM THIS ACTOR:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-08-Nuclear-EK-flash-exploit.swf
File size:  5.5 KB ( 5662 bytes )
MD5 hash:  278fe2398a349ee6f22a02dcdeab66aa
Detection ratio:  2 / 55
First submission:  2014-09-05 07:17:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/38708505ab3b8267f5744e82c86d153654d290b99c4fd18ad96dd78ea5f4197b/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-08-Nuclear-EK-java-exploit.jar
File size:  13.8 KB ( 14138 bytes )
MD5 hash:  84a68bd1ae3f71b91fafc0b6d1b7ad29
Detection ratio:  2 / 55
First submission:  2014-09-08 22:25:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7302ebe585d117f7428fabceaf0e2c8b20e590d16fa82e7237a44417c3ec9ef5/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-08-Nuclear-EK-malware-payload.exe
File size:  148.0 KB ( 151552 bytes )
MD5 hash:  50c5952c549bbfee7d5f34f60b6b000a
Detection ratio:  7 / 55
First submission:  2014-09-08 14:48:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/102bc44f010ad2917e728da4ca0e825512450ed67da22dd2f9ab0b9e6d0bebde/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.