2015-01-23 - NUCLEAR EK PUSHES VAWTRAK/NEVERQUEST

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

NUCLEAR EK:

 

VAWTRAK/NEVERQUEST POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-23-Nuclear-EK-flash-exploit.swf
File size:  23.0 KB ( 23595 bytes )
MD5 hash:  3c89d96da3872d873e146d6ef813e39d
Detection ratio:  15 / 55
First submission:  2015-01-19 18:42:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97e4044a12e7abc3433f4349a1e33277082b6020438726b92bf00afa1501afdf/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-01-23-Nuclear-EK-silverlight-exploit.xap
File size:  17.4 KB ( 17841 bytes )
MD5 hash:  db4e34961e2e6aa7853aa0c9a1d6b626
Detection ratio:  7 / 51
First submission:  2015-01-23 21:10:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a81f23a1013fb2c9207de36195a41cace3b5874e8d8eff1c5129f0a1ec77b684/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-23-Nuclear-EK-malware-payload.exe
File size:  488.0 KB ( 499712 bytes )
MD5 hash:  51d78ac4ff683967f79cf5bdcee05426
Detection ratio:  16 / 57
First submission:  2015-01-26 21:38:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5c19aec7c236f5de2b921a02dd4049af4110152c531390b4267297dae402f740/analysis/

 

DROPPED MALWARE:

File name:  C:\ProgramData\JiceNfoju\YixoHosak.zsw
File size:  284.0 KB ( 290816 bytes )
MD5 hash:  3f62b465eb4fef45664ef387513c97cc
Detection ratio:  9 / 57
First submission:  2015-01-26 21:39:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/70c76f8111374f78081b6ca6472c43623b14c1b5e97d4a46f90cd76bff25f8c9/analysis/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.