2015-08-12 - NUCLEAR EK FROM 188.166.1.98 - AABEWEDDBHUJKOGE.CF

PCAP AND MALWARE:

 

TRAFFIC

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NUCLEAR EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2015-08-12-Nuclear-EK-flash-exploit.swf
File size:  23.3 KB ( 23,896 bytes )
MD5 hash:  a7e04fd7983b5de53d7815e3640cbbcf
SHA1 hash:  7f6fd22175ab0ef8f3241f8574c49877eda767fe
SHA256 hash:  f9223d8fc077fa24e9f6b751521724df142937a6c6add7dcbf8b0466d36a59aa
Detection ratio:  0 / 56
First submission:  2015-08-12 16:00:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f9223d8fc077fa24e9f6b751521724df142937a6c6add7dcbf8b0466d36a59aa/analysis/

 

MALWARE PAYLOAD

File name:  2015-08-12-Nuclear-EK-malware-payload.exe
File size:  64.6 KB ( 66,169 bytes )
MD5 hash:  07d46f9f603dfd57f7bc11c15770ae8d
SHA1 hash:  2b6b16e4b536e0264c3b31d71e588a377a807ed6
SHA256 hash:  ba6df636ee48aa126a8fc9523bb6edb1a0e3c82fa935f833c9091fc316279a21
Detection ratio:  3 / 56
First submission:  2015-08-12 16:00:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ba6df636ee48aa126a8fc9523bb6edb1a0e3c82fa935f833c9091fc316279a21/analysis/
Malwr link:  https://malwr.com/analysis/OTViOTU3OTFmZDkxNDU5NjgxMzU5YjQ0ZTA1OGQ3NjE/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/ba6df636ee48aa126a8fc9523bb6edb1a0e3c82fa935f833c9091fc316279a21?environmentId=1

 

 

SNORT EVENTS

Suricata using the Emerging Threats open and ETpro rulesets on Security Onion (not including ET INFO or ET POLICY rules):

 

Snort 2.9.7.3 using Talos Snort Registered Rules on Debian 7:

 

IMAGES FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Gate URL redirecting to the Nuclear EK landing page:

 

Nuclear EK landing page:

 

Nuclear EK sends Flash exploit:

 

Nuclear EK sends malware payload.  EXE file is XOR-ed with the ASCII string ATgka

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.