2015-09-22 - NUCLEAR EK FROM 46.101.165.112 - BAGREWAKOKUGRE.ML

PCAP AND MALWARE:

 


Shown above: Squil after using tcpreplay on the pcap in Security Onion (set up with Suricata and the EmergingThreats Pro signature set).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-09-22-Nuclear-EK-flash-exploit.swf
File size:  59.6 KB ( 60995 bytes )
MD5 hash:  917e9794bd819a35ff1fd4bc378232e4
SHA1 hash:  bcfb2c9a7206ce9c1260fa49e4b2f5dacd0a717a
SHA256 hash:  bd0c59c6e5bddb277120789e2341b0bc099f9016d664d9a4e25f21804d72f073
Detection ratio:  1 / 56
First submission:  2015-09-22 15:54:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bd0c59c6e5bddb277120789e2341b0bc099f9016d664d9a4e25f21804d72f073/analysis/

 

MALWARE PAYLOAD:

File name:  2015-09-22-Nuclear-EK-malware-payload.exe
File size:  632.1 KB ( 647281 bytes )
MD5 hash:  2e3a61907992a8f6c49cd558cfbfa831
SHA1 hash:  23be081d349acdb6b3832f50cf669b177bfd0c67
SHA256 hash:  a2a97efaa0914a1d91a10df523a72a2d514552b82c7bb80947083ea57766d3b7
Detection ratio:  4 / 56
First submission:  2015-09-22 15:53:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a2a97efaa0914a1d91a10df523a72a2d514552b82c7bb80947083ea57766d3b7/analysis/
Malwr link:  https://malwr.com/analysis/MjllOGI2ODI4NTYwNDhlZmEwYTdjMzdlZjJmOTJkN2U/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/a2a97efaa0914a1d91a10df523a72a2d514552b82c7bb80947083ea57766d3b7?environmentId=4

 

 

SCREENSHOTS

Below is a screenshot showing the malicious script injected into a page from the compromised web site:

 

What's an easy way to confirm this is the script that cause the HTTP GET request for the redirect/gate?  Dump the script into a web page by itself, then change the "eval" to "alert" as shown below.  That should cause a pop-up window in your browser that might show the deobfuscated script:

 

Below is the pop-up window I got from a browser.  At the very end is the an iframe, somewhat obfuscated, but you can still see find the gate URL within the area I've noted in the image.  Before that, you'll also find a slightly obfuscated URL for 2zz3.cf/stat.php.  When I checked, 2zz3.cf resolved to the same IP address as l2-bob.cf.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.