2014-09-16 - NUCLEAR EK FROM 80.85.87.179 - OFLATIRAS.VIDEOSDEANIMAIS.COM.BR

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT (GATE):

 

NUCLEAR EK:

 

FIESTA EK URL THAT APPEARD DURING THE NUCLEAR EK:

 

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-16-Nuclear-EK-flash-exploit.swf
File size:  5.7 KB ( 5832 bytes )
MD5 hash:  da5d57c700ebec211a6a57166700e796
Detection ratio:  1 / 55
First submission:  2014-09-15 10:38:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0c3304c65b3d9c42586ba104407c4bd0c9601eff54071fdc7c022b19a7fb69f4/analysis/

 

PDF EXPLOIT

File name:  2014-09-16-Nuclear-EK-pdf-exploit.pdf
File size:  9.6 KB ( 9880 bytes )
MD5 hash:  dc4b3f27e564574e888a09a39775ae4e
Detection ratio:  2 / 53
First submission:  2014-09-16 13:56:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8bfa87b410347a9bcf49ead272ee0c727febdb80f754caab8e2198acd18e8a24/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-16-Nuclear-EK-silverlight-exploit.xap
File size:  8.9 KB ( 9146 bytes )
MD5 hash:  9e9497ec03bc45d9cae065e7f9e9d866
Detection ratio:  3 / 55
First submission:  2014-09-16 13:57:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bf2e437e455f5697673b17eda5425ba17834d211a049dc8baccb17b93ff39aa7/analysis/

 

MALWARE PAYLOAD (TOFSEE)

File name:  2014-09-16-Nuclear-EK-malware-payload.exe
File size:  100.0 KB ( 102400 bytes )
MD5 hash:  652e59a91d328f504e6086efc5bd2e1d
Detection ratio:  2 / 55
First submission:  2014-09-16 13:59:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ebe842085cf7430a1a523612603481b9e757b7388bc96adbe64b7d27f0a4292c/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in file from compromised website:

 

Redirect (gate) pointing to Nuclear EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.