2015-05-14 - Nuclear EK DELIVERS RANSOMWARE

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

NUCLEAR EK FLASH EXPLOIT:

File name:  2015-05-14-Nuclear-EK-flash-exploit.swf
File size:  18.5 KB ( 18895 bytes )
MD5 hash:  94e60bcae544717cd530b20c644a9d56
Detection ratio:  0 / 57
First submission:  2015-05-13 18:57:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/aeec9303bb0f3ba9b8d05259efc0d61e5ac0ce45555a8f468ad1ce597d3debe5/analysis/

 

RANSOMWARE:

File name:  C:\Users\username\AppData\Local\skhwyva.exe
File size:  506.0 KB ( 518144 bytes )
MD5 hash:  58e1e0b122490dd5bf4a81776772b33c
Detection ratio:  0 / 55
First submission:  2015-05-14 18:45:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8ce346a46314e8d741b20bb8a716590d5c8bc49febe7d91d3bf0e5289e43cdc4/analysis/
Malwr link:  https://malwr.com/analysis/ZmQ2Yjk4ZGVhZTRlNGMzOWE3OThkY2QzZmZlNWRlYzc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/8ce346a46314e8d741b20bb8a716590d5c8bc49febe7d91d3bf0e5289e43cdc4?environmentId=1

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the associated malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.