2015-01-18 - NUCLEAR EK FROM 188.226.241.6 - NIGHTGLASS.CF & NIGHTGLASS.GA

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

NUCLEAR EK - FIRST RUN:

 

NUCLEAR EK - SECOND RUN:

 

VAWTRAK/NEVERQUEST TRAFFIC:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):

 

Sourcefire/VRT/Talos ruleset from Snort 2.9.7.0 on Debian 7 using tcpreplay:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-18-Nuclear-EK-flash-exploit.swf
File size:  23.1 KB ( 23631 bytes )
MD5 hash:  759c2d4d526940a03e3187bcff52df55
Detection ratio:  1 / 57
First submission:  2015-01-15 10:52:35 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7f8ceced652b3af0996a97efa986f25ad7ee99ec22b5c4162eedaeaed949f53d/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-01-18-Nuclear-EK-silverlight-exploit.xap
File size:  17.6 KB ( 18032 bytes )
MD5 hash:  c3cf4a7b7c7c32b787bb07f9dbe35a11
Detection ratio:  0 / 56
First submission:  2015-01-18 20:42:49 UTCC
VirusTotal link:  https://www.virustotal.com/en/file/241472414d584676abdde9d337b2c5420bfc51b30239a12a3bf12e55b6def0d2/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-18-Nuclear-EK-malware-payload.exe
File size:  444.0 KB ( 454656 bytes )
MD5 hash:  74b87899fe6d4533c039648f8f4fd9fd
Detection ratio:  5 / 57
First submission:  2015-01-18 20:43:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/db4fb59eccecdd664cde3c6f9e2c4b69c17f4676e407a8e9b2f7e7b7fbf0c1fb/analysis/
Malwr link:  https://malwr.com/analysis/YjhjODU1OTM0ZjE2NDk1M2I1NzZiZDZkYjQ4ZTM2YjI/

 

DROPPED MALWARE FOUND ON INFECTED VM:

File name:  2015-01-18-Nuclear-EK-dropped-malware-found-on-infected-VM.exe
File size:  296.0 KB ( 303104 bytes )
MD5 hash:  f37658583f6ebca548eaa9db571c1ad2
Detection ratio:  6 / 57
First submission:  2015-01-18 20:43:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/36ec575b51d85ea1abe1ea15ac344ceb32b76714d357a29937e7aa287bfd3fb3/analysis/
Malwr link:  https://malwr.com/analysis/MWJhODNhNzNlM2ViNGYxNGFkMzFiZTVjOGJiMTY3N2M/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.