2015-01-29 - NUCLEAR EK FROM 178.62.149.46 - CULTUREMERGE.GA - VAWTRAK PAYLOAD

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND INFECTION PATH:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Significant signature hits from the Emerging Threats and ETPRO rulesets using Suricata on Security Onion:

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-29-Nuclear-EK-flash-exploit.swf
File size:  26.7 KB ( 27346 bytes )
MD5 hash:  fc65c7cf2eeea109946c9b30281b01f8
Detection ratio:  1 / 57
First submission:  2015-01-29 18:05:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/571dc2a375cdd0d00dc94b37a8e146bc22f29d7b26045dffdbd4c6fd6ce56cf7/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-01-29-Nuclear-EK-silverlight-exploit.xap
File size:  16.0 KB ( 16406 bytes )
MD5 hash:  4ae69b684daa63b5091295244cf41fad
Detection ratio:  0 / 36
First submission:  2015-01-29 18:06:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b386acd0f63f0ea9c2ac1d283d94fcd098cd94cb3fba6a7ccb7bb769398741d2/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-29-Nuclear-EK-malware-payload.exe
File size:  392.0 KB ( 401408 bytes )
MD5 hash:  55b7da1da8ac0f4bc6ec42e9a8b00163
Detection ratio:  7 / 57
First submission:  2015-01-29 18:06:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ea0e75faa7c30806ad13300fa9bfe2839323fc47203f9b2dba49ba3580dd40a0/analysis/
Malwr link:  https://malwr.com/analysis/ZTUxNzAwODI2MWY5NDY5OGEwYzc5ZjA2MTY1ZjdmZjI/

 

DROPPED MALWARE (DLL FILE):

File name:  C:\ProgramData\ZedfOzbeb\TugeBucb.fec
File size:  292.0 KB ( 299008 bytes )
MD5 hash:  a31d9d3f6a0eae52c882d5dda534187d
Detection ratio:  3 / 57
First submission:  2015-01-29 18:06:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/993c82a0649786cdf3c4e7e32a27c9dcfd70091564bbd18928d1387e6854faac/analysis/
Malwr link:  https://malwr.com/analysis/MmNkODc5NmMxZDY1NDQ1YWI5MDM0NzhkMGQwYjJjMWI/

 

SCREENSHOTS FROM THE TRAFFIC

Infection path pointing to the exploit kit (EK) landing page:

 

Nuclear EK landing page:

 

Nuclear EK sends Flash exploit:

 

Nuclear EK sent the same malware payload 3 different times.  In each case, it was XOR-ed with the ASCII string XjBpF

 

Nuclear EK sends the Silverlight exploit after the first malware payload:

 

Here's the callback traffic that triggered the ETPRO Vawtrak/NeverQuest signature:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.