2015-11-09 - NUCLEAR EK FROM 178.62.8.117 SENDS ANDROMEDA/CTB-LOCKER

ASSOCIATED FILES:


Shown above: Desktop background from infected Windows host.

 

TRAFFIC

ASSOCIATED DOMAINS:


Shown above: Events generated after using tcpreplay on the pcap in Security Onion.

 

COMPROMISED WEBSITE AND REDIRECT:


Shown above: Injected script in page from compromised website.


Shown above: Redirect URL leading to Nuclear EK landing page.

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

NUCLEAR EK ARTIFACTS:

 

ARTIFACTS RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.