2015-02-04 - NUCLEAR EK FROM 5.9.120.123 - ZXC.MIVYCEM.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-02-04-Nuclear-EK-flash-exploit.swf
File size:  8.3 KB ( 8475 bytes )
MD5 hash:  e6b2a5e873b12e9fe4835ca0336c46e9
Detection ratio:  0 / 55
First submission:  2015-02-04 08:43:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/80ddbaaa8f96d0a867725ea00a9019c9a176b36fcf127d210d675a42dc13facb/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-02-04-Nuclear-EK-silverlight-exploit.xap
File size:  15.4 KB ( 15795 bytes )
MD5 hash:  acd36384c818eedcfecb830aadc3f873
Detection ratio:  0 / 56
First submission:  2015-02-04 16:39:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a9bbac7406f3844b4f43b472b31422622e6f25772936772193ded6c46a109a13/analysis/

 

MALWARE PAYLOAD:

File name:  2015-02-04-Nuclear-EK-malware-payload.exe
File size:  209.7 KB ( 214740 bytes )
MD5 hash:  474c240eac9738ad98d8eae9b00c7f2e
Detection ratio:  7 / 51
First submission:  2015-02-04 16:30:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/43b263cbd52e17f78593a327a8014153695a50cce5f2c03c9ee1962a914e80f7/analysis/
Malwr link:  https://malwr.com/analysis/ZGM4YTg5ZjEzYzM2NDk4YWE1MTdlNGI5Nzk3MDA1NjU/



NOTE: the malware copied itself to:
C:\Users\username\AppData\Roaming\Mozilla\svchoste.exe

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Flash file used in redirect:

 

Redirect pointing to Nuclear EK landing page:

 

Nuclear EK landing page:

 

Nuclear EK sends Flash exploit:

 

Nuclear EK sends the malware payload, XOR-ed with the ASCII string PLLpHpt

 

Nuclear EK sends the Silverlight exploit:

 

Post-infection traffic by the malware (had to run it on another machine, because it didn't work on the originally infected VM):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.