2014-12-15 - NUCLEAR EK FROM 95.85.23.178 - FOURKOPOLL.CO.VU

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):

 

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7.6:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-12-15-Nuclear-EK-flash-exploit.swf
File size:  21.8 KB ( 22333 bytes )
MD5 hash:  29922425f848685ee3fc5c5dff298f32
Detection ratio:  1 / 54
First submission:  2014-12-14 19:15:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3776888d092ede27c01be68e54842feade97dc3e0268f9637c009cfa93156d96/analysis/

 

MALWARE PAYLOAD:

File name:  2014-12-15-Nuclear-EK-malware-payload.exe
File size:  176.0 KB ( 180224 bytes )
MD5 hash:  c35c22abf0c4a6001a3dbb89e82e73ed
Detection ratio:  3 / 54
First submission:  2014-12-15 22:03:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/88e5f207dd24260bc9f9d4e893510248a1ed55bb245329ade15dcabdd8769315/analysis/
Malwr link:  https://malwr.com/analysis/Y2FlMGVjNzk5NDRmNGRhMjhlMDE2NGQ5OTBjY2NkOTM/

 

DROPPED MALWARE FROM THE INFECTED VM:

File name:  lhidcetf.exe
File size:  35.6 MB ( 37347328 bytes )
MD5 hash:  984b7625ec575bba3a36159bb2249260
Detection ratio:  4 / 55
First submission:  2014-12-15 21:56:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c19577996157c3a3db49bc4491160cacee97cba1abcb0339af794cb7579e7db/analysis/


Same metadata as the payload, but a file size over 35 MB

 

SCREENSHOTS FROM THE TRAFFIC

Malicious iframe embedded after javascript returned from the redirect URL:

 

Nuclear EK landing page:

 

Nuclear EK sends Flash exploit:

 

EXE payload sent after successful exploit, XOR-ed with the ASCII string:  MUZrcnp

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.