2014-12-10 - WINDIGO GROUP USES NUCLEAR EK FROM 128.199.48.110 - SEVENTHNAMED.CO.VU

ASSOCIATED FILES:

 

NOTES:

 

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

CUSHION REDIRECT:

 

NUCLEAR EK:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):

 

Sourcefire VRT ruleset from Snort 2.9.7.0 on Security Onion using tcpreplay:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-12-10-Nuclear-EK-flash-exploit.swf
File size:  21.8 KB ( 22326 bytes )
MD5 hash:  7fd849a20fa8e0a647f4138c3ce81de5
Detection ratio:  0 / 56
First submission:  2014-12-08 12:40:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/60c0a25df731aa8aa11713a0341eab2943ca07fa8ec9de43376b9f7b1a17045e/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-12-10-Nuclear-EK-silverlight-exploit.xap
File size:  2014-12-10 18:31:15 UTC
MD5 hash:  87d140b1b68cbe2b46a4a355fbd87a09
Detection ratio:  1 / 56
First submission:  6.8 KB ( 6924 bytes )
VirusTotal link:  https://www.virustotal.com/en/file/a0b5876419025568915bfea24d22163169f4b3634935edafd998c26d57900055/analysis/

 

MALWARE PAYLOAD

File name:  2014-12-10-Nuclear-EK-malware-payload.exe
File size:  82.9 KB ( 84848 bytes )
MD5 hash:  9f82062c56437a4b0ec896fa71950085
Detection ratio:  5 / 56
First submission:  2014-12-10 18:31:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5a9a5b66cef38d10c78ccef20eb23621b47c196f9109fbac304ff00ab655b3c6/analysis/
Malwr link:  https://malwr.com/analysis/NDU0YjdhY2Y5ZThmNDBkMGI5OGQ4ZDM4Mzk0ZmU3Yjg/

 

SCREENSHOTS FROM THE TRAFFIC

Nuclear EK landing page:

 

Nuclear EK sends Flash exploit:

 

Nuclear EK sends Silverlight exploit:

 

EXE payload sent three times, after successful exploits.  Each time, the payload was XOR-ed with the ASCII string tmpTVTHym:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.