2015-10-30 - NUCLEAR EK FROM 188.166.65.14

ASSOCIATED FILES:

 

CHAIN OF EVENTS


Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

 

IMAGES FROM THE TRAFFIC


Shown above:  Injected script in page from the compromised website.

 


Shown above:  HTTP requests during the traffic.

 


Shown above:  Filtering the traffic in Wireshark, you'll find more than 150 IP addresses the infected host reached out to.

 


Shown above:  Post-infection traffic also shows DNS queries to unusual IP addresses.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.