2015-10-19 - 052F GATE NUCLEAR EK FROM 178.62.4.34

ASSOCIATED FILES:

 

CHAIN OF EVENTS


Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND 052F GATE:


Shown above:  Script injected into pages from the compromised website.

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC (ONLY HTTP TRAFFIC SHOWN):

 

PRELIMINARY MALWARE ANALYSIS

NUCLEAR EK FLASH EXPLOIT:

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

SOME OF THE REGISTRY KEYS NOTED ON THE INFECTED HOST:

Registry Key:  HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Run

 

Registry Key:  HKEY_LOCAL_MACHINE\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorere\Run
Registry Key:  HKEY_LOCAL_MACHINE\Sofware\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorere\Run

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.