2014-09-29 - NUCLEAR EK DELIVERS DIGITALLY-SIGNED CRYPTOWALL MALWARE

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ORIGINAL WEBSITE VISITED:

GOOGLE AND ZEDO AD TRAFFIC:

VERIFIED PORTION OF THE INFECTION CHAIN:

NUCLEAR EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-29-Nuclear-EK-flash-exploit.swf
File size:  5.7 KB ( 5883 bytes )
MD5 hash:  712a0c8c5c790f1e8e05be255b145954
Detection ratio:  1 / 55
First submission:  2014-09-29 08:27:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/674a2cc433019b7a7e478d5edc31c2f47634b3058b1fe2749b583905b722550d/analysis/

 

PDF EXPLOIT

File name:  2014-09-29-Nuclear-EK-pdf-exploit.pdf
File size:  9.5 KB ( 9754 bytes )
MD5 hash:  e4559cd4344a46db72e51c070996a076
Detection ratio:  1 / 55
First submission:  2014-09-29 17:53:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0aa9bee7f523cc0b918c9ad17f67188851344c02f68afd15e6142d826a8619f9/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-29-Nuclear-EK-silverlight-exploit.xap
File size:  8.1 KB ( 8340 bytes )
MD5 hash:  afd3b15390de8aa440e5e676f03d1c89
Detection ratio:  0 / 55
First submission:  2014-09-29 05:35:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c743f60c6277f25c8c829b2beff21f5243a56243cd9385dfc131aabb7c9f3094/analysis/

 

MALWARE PAYLOAD (DIGITALLY-SIGNED CRYPTOWALL):

File name:  2014-09-29-Nuclear-EK-malware-payload.exe
File size:  159.9 KB ( 163696 bytes )
MD5 hash:  dc5c71aef24a5899f63c3f9c15993697
Detection ratio:  1 / 54
First submission:  2014-09-29 13:36:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54ce7a04b71a1bbdfcfd0bf46bd1f138dee5d4554e21192d1f98d0e02694f351/analysis/

 

SNORT EVENTS

Applicable signature hits from the Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Applicable Sourcefire VRT signature hits from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Firs redirect with the original referer [doesn't indicate all the add traffic between the original referer and this URL]:

 

Second redirect to Nuclear EK:

 

CryptoWall in action:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.