2014-09-21 - NUCLEAR EK FROM 176.58.112.200 - AGELPIROSTAN.NEMISSA.INFO

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

TRAFFIC TO OTHER DOMAINS - POSSIBLY RELATED TO THE NUCLEAR EK:

 

POST-INFECTION TRAFFIC TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-21-Nuclear-EK-flash-exploit.swf
File size:  5.7 KB ( 5843 bytes )
MD5 hash:  c6309f9e43541b75295f207d57556a97
Detection ratio:  2 / 55
First submission:  2014-09-18 19:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/32698be0ba9e3258bc0eaafb18f462dfb709c36a8ac080c8d4fb5d7b3e96afd4/analysis/

 

PDF EXPLOIT

File name:  2014-09-21-Nuclear-EK-pdf-exploit.pdf
File size:  9.4 KB ( 9592 bytes )
MD5 hash:  4e38c6e3e815d9fb489a6dd3c1b8c559
Detection ratio:  2 / 55
First submission:  2014-09-21 21:52:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f5defd437a56dd0efa519c253827934ffd8b59925e8d1517b591da8409a6632/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-21-Nuclear-EK-silverlight-exploit.xap
File size:  7.6 KB ( 7739 bytes )
MD5 hash:  ab49ec00726f1715f19ada50e50ce391
Detection ratio:  2 / 55
First submission:  2014-09-21 21:52:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92c17d53aee6816a3caa7379bf972e3071996ce41e77ad284269a579ce2851ee/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-21-Nuclear-EK-malware-payload.exe
File size:  176.0 KB ( 180224 bytes )
MD5 hash:  ab8d3d76d16b694e5e6ad29df67a9522
Detection ratio:  4 / 55
First submission:  2014-09-21 21:53:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b5ab9fae39999ca8f07c9a8cd42130b1ac6b062927cb28fbad985758bda6bc52/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in file from compromised website:

 

Redirect pointing to Nuclear EK landing page:

 

Example of the spam traffic sent by the infected host (not included in the pcap):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.