2014-12-18 - NUCLEAR EK FROM 178.62.255.107 - WOXEPITYFILLO.CF

ASSOCIATED FILES:

 

NOTES:


Shown above:  search results for the compromised website on scumware.org

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):

 

Sourcefire VRT ruleset from Snort 2.9.7.0 on Security Onion using tcpreplay (not includeing preprocessor rules):

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-12-18-Nuclear-EK-flash-exploit.swf
File size:  21.3 KB ( 21821 bytes )
MD5 hash:  1d5a40397e716fde5fca0d178acd835e
Detection ratio:  0 / 53
First submission:  2014-12-17 07:58:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fa695e9e42f621a0e7c49958b6c59042acaa3c68b2e5255309669eee5f85ed5a/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-12-18-Nuclear-EK-Silverlight-exploit.xap
File size:  6.8 KB ( 6926 bytes )
MD5 hash:  e06bfa9214d3f7fe7f176d963d5be4b9
Detection ratio:  1 / 55
First submission:  2014-12-18 17:20:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e2769893b7142184bdd82d966c3425c8686df2bb61be8b3eb977d7e5a617247/analysis/

 

MALWARE PAYLOAD

File name:  2014-12-18-Nuclear-EK-malware-payload.exe
File size:  178.1 KB ( 182424 bytes )
MD5 hash:  4f61aa95d7e045a533c5c11702ba17a2
Detection ratio:  7 / 54
First submission:  2014-12-18 00:25:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35f0dd081d9f70d4d1af6a37bb89a703eb80e104902ca629481915df86f0b4f2/analysis/
Malwr link:  https://malwr.com/analysis/YjZiYzA2MTgxNzgxNDg3OGE3NjZhOWI2Y2E4MTU2ZGE/

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from comrpomised website:

 

Redirect pointing to the exploit kit:

 

Nuclear EK landing page:

 

Nucelar EK sends Flash exploit:

 

EXE payload, XOR-ed with the ASCII string nSmfD during the traffic (sent 3 times with the same XOR pattern):

 

Nuclear EK sends Silverlight exploit:

 

Post-infection HTTP request from the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.