2015-03-16 - EXAMPLES OF NUCLEAR EK PUSHING KELIHOS

ASSOCIATED FILES:

 

NOTES:

 

TODAY'S THREATGLASS ENTRY:

http://threatglass.com/malicious_urls/crowdfundingformybusiness-com

 

SIMILAR THREATGLASS ENTRIES

http://threatglass.com/malicious_urls/ncef-org-np

 

http://threatglass.com/malicious_urls/konopialeczy-pl

 

http://threatglass.com/malicious_urls/namiknam-com

 

TODAY'S TRAFFIC

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

POST-INFECTION CALL FOR MORE MALWARE:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

NOTE: The second pcap from my infected host (not reviewed here) generated more Emergingthreats related to Kelihos:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-03-16-Nuclear-EK-flash-exploit.swf
File size:  9.3 KB ( 9571 bytes )
MD5 hash:  695a07cbcac3ca64010e168fe495ff4a
Detection ratio:  1 / 56
First submission:  2015-03-16 20:15:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4ddec2928f1fe9a2ccf305ada60dd93b057bdaf6db911d9c0c763883c2e3cb3/analysis/

 

MALWARE PAYLOAD:

File name:  2015-03-16-Nuclear-EK-malware-payload.exe
File size:  112.5 KB ( 115200 bytes )
MD5 hash:  eff5e3e630ad238c08984fe9ad59b87d
Detection ratio:  5 / 56
First submission:  2015-03-16 20:12:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9394b044686bf90ee7a1fe94c1e543b834d430db0f37812dc91b4d3c2c68d0ef/analysis/
Malwr link:  https://malwr.com/analysis/NzY1MGFmMjg3ZWQ2NDNjOGIzYzZkMjQyMTFiMDg2YTE/

 

FOLLOW-UP MALWARE:

File name:  kernel1.exe
File size:  1.4 MB ( 1493504 bytes )
MD5 hash:  d8b81506190ea42454329159d6e182ca
Detection ratio:  8 / 57
First submission:  2015-03-16 20:13:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c7fd604e0ee81919549ad13259b7cadb9bd653a5adc39a51c18117dd17cb1496/analysis/
Malwr link:  https://malwr.com/analysis/OTY1MDE2NGRmMGVmNGI3NWEzZWVhZWI5MTA1NGE2YmU/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.