2016-02-15 - NUCLEAR EK FROM 198.199.124.127 SENDS VAWTRAK

PCAP AND MALWARE:

 

CHAIN OF EVENTS

START TIMES FOR THE TRAFFIC:

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Pcap from the first run, filtered in Wireshark (Nuclear EK, but no payload).

 


Shown above:  Pcap from the second run, filtered in Wireshark (Nuclear EK sent Vawtrak payload).

 


Shown above:  Injected script in page from the compromised website.

 


Shown above:  Alerts from Sguil on Security Onion using Suricata with the Emerging Threats ruleset.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.