2015-02-01 - NUCLEAR EK FROM 178.62.250.102 - DISCREETTARGET.CF

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-02-01-Nuclear-EK-flash-exploit.swf
File size:  10.1 KB ( 10392 bytes )
MD5 hash:  43ad5d1fb45567e44f463fe575888802
Detection ratio:  3 / 56
First submission:  2015-02-01 10:16:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9c6c10291c98c2d2f196f17d2d4c1eb1dbfea992f978f15cd5429170609ba1a8/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-02-01-Nuclear-EK-silverlight-exploit.xap
File size:  15.4 KB ( 15773 bytes )
MD5 hash:  ef1717e7fab3535b7d4bf5c7c38feb0f
Detection ratio:  1 / 57
First submission:  2015-02-01 20:39:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c801e583ab71123f37bd22823df48a439465d767a3d3d8e9c90783be752bec98/analysis/

 

MALWARE PAYLOAD (1 OF 2):

File name:  2015-02-01-Nuclear-EK-malware-payload-1-of-2.exe
File size:  108.0 KB ( 110592 bytes )
MD5 hash:  469e7a715c0c396cd9e3b3a4f19e4cc7
Detection ratio:  6 / 48
First submission:  2015-02-01 20:39:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/344258bf73648da7032e6106554d8a4e00d3737f39e0305f42c80639d3f3e116/analysis/
Malwr link:  https://malwr.com/analysis/ZTJiZGQ4Y2QyMzg3NGYzM2JhYjFkOGM0MzYxNjFjYWE/

 

MALWARE PAYLOAD (2 OF 2):

File name:  2015-02-01-Nuclear-EK-malware-payload-2-of-2.exe
File size:  1.4 MB ( 1508864 bytes )
MD5 hash:  1d98adfa91d76de07415876f400f53fe
Detection ratio:  17 / 57
First submission:  2015-02-01 20:40:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b3e6340265e861ea26e8ed44d9c8a98e890816283708a8e39eff28a7bd482ab3/analysis/
Malwr link:  https://malwr.com/analysis/OWViZDcxMmMyYjRhNGRlZGI1NTBmMzdlNjJiNDE4MTA/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.