2014-11-06 - NUCLEAR EK SENDS SILVERLIGHT EXPLOIT AS A FLASH FILE

ASSOCIATED FILES:

 

NOTES:

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC FROM THE INFECTED VM:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-06-Nuclear-EK-flash-exploit.swf
File size:  30.8 KB ( 31579 bytes )
MD5 hash:  458ecf2e77b0a413f3076d504632f840
Detection ratio:  0 / 54
First submission:  2014-10-29 18:10:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fa9e850b382fbc4211c5c80693d713c778574258d6606db57bc0380f9b3b323f/analysis/

 

PDF EXPLOIT

File name:  2014-11-06-Nuclear-EK-pdf-exploit.pdf
File size:  9.7 KB ( 9940 bytes )
MD5 hash:  d210403a9d63879c0b2acf41b6d82720
Detection ratio:  1 / 53
First submission:  2014-11-06 16:10:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/efefc7e889ee031e402dac2a05e6d4762144497b6007c9ef73628935d766aa4c/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-11-06-Nuclear-EK-silverlight-exploit.xap
File size:  7.9 KB ( 8064 bytes )
MD5 hash:  3ba514d8cf12bbf1a070fbc5933eb5c5
Detection ratio:  4 / 53
First submission:  7.9 KB ( 8064 bytes)
VirusTotal link:  https://www.virustotal.com/en/file/5bcb20f506ce854eb3191ca87a14c5777cdcb0f96ffec0b68e3535001d3675db/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-06-Nuclear-EK-malware-payload.exe
File size:  136.0 KB ( 139264 bytes )
MD5 hash:  67291715c45c4594b8866e90fbf5c7c4
Detection ratio:  5 / 53
First submission:  2014-11-06 16:11:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c/analysis/
Malwr.com link:  https://malwr.com/analysis/ZTA5NTU1ZGM1MmVlNGE5ZjhjYzhhNDFiOTU1YjNjOTY/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious iframe in .js file from compromised website:

 

Redirect (gate) pointing to Nuclear EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.