Malware-Traffic-Analysis.net - A malware traffic analysis blog 2014-01-24

2014-01-24 - NUCLEAR EXPLOIT KIT

ASSOCIATED FILES:

NOTES:

Nuclear EK (also known as "Nuclear Pack") has been around for a while. A Google search shows version 2.0 was discovered in 2012.

Current EmergingThreats signatures for Nuclear EK activity were released as early as November 2013 (see http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=%22Nuclear+EK%22 for details).

I recently ran across some traffic that triggered a few of those Nuclear EK signatures. Let's take a closer look...

As always, I used Security Onion to monitor a vulnerable Windows host. This time, it was a VM running Windows 7 SP1 with IE 10 and Java 7 update 15.

02:55:06 - 192.168.14.138:52405 - 192.168.14.2:53 - ET INFO DNS Query to a *.pw domain - Likely Hostile
02:55:06 - 192.168.14.138:50113 - 192.95.6.120:80 - ET INFO HTTP Request to a *.pw domain
02:55:19 - 192.168.14.138:50119 - 192.95.6.120:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
02:55:19 - 192.168.14.138:50119 - 192.95.6.120:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013
02:55:19 - 192.95.6.120:80 - 192.168.14.138:50119 - ET INFO JAVA - Java Archive Download By Vulnerable Client
02:55:20 - 192.168.14.138:50119 - 192.95.6.120:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013
02:55:20 - 192.95.6.120:80 - 192.168.14.138:50119 - ET POLICY PE EXE or DLL Windows file download
02:55:20 - 192.95.6.120:80 - 192.168.14.138:50119 - ET INFO EXE - Served Inline HTTP
02:55:20 - 192.95.6.120:80 - 192.168.14.138:50119 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client
02:55:20 - 192.95.6.120:80 - 192.168.14.138:50119 - ET POLICY Java EXE Download
02:55:20 - 192.95.6.120:80 - 192.168.14.138:50119 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
02:55:20 - 192.168.14.138:50113 - 192.95.6.120:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013

ASSOCIATED DOMAINS:

184.168.202.1 - holiday-cruiseline.com - compromised website
184.106.55.51 - www.comprarytraer.cl - redirects from compromised website to Nuclear EK domain
192.95.6.120 - h3zqxj.canoedoctor.pw - Nuclear EK domain

INITIAL INFECTION CHAIN:

02:55:03 - 184.168.202.1:80 - holiday-cruiseline.com - GET /
02:55:05 - 184.106.55.51:80 - www.comprarytraer.cl - GET /clik.php?id=6985669
02:55:06 - 192.95.6.120:80 - h3zqxj.canoedoctor.pw - GET /ac_bc6-d3c1_9b-ac_7e-fa4R3c_0-7-3J5-c_aW3f-5aa8-/27/a8e20d45a9de92557bfbbd4f23b3764d.html
02:55:19 - 192.95.6.120:80 - h3zqxj.canoedoctor.pw - GET /3487684040/1390510620.jar
02:55:20 - 192.95.6.120:80 - h3zqxj.canoedoctor.pw - GET /f/1390510620/3487684040/2
02:55:21 - 192.95.6.120:80 - h3zqxj.canoedoctor.pw - GET /3487684040/1390510620.htm
02:55:21 - 192.95.6.120:80 - h3zqxj.canoedoctor.pw - GET /f/1390510620/3487684040/2/2

Comrpomised server with an iframe in the HTML of the web page:

www.comprarytraer.cl redirects from the compromised web site to the Nuclear EK domain:

Initial landing page for the Nuclear EK domain:

The Java exploit:

The EXE payload:

File name: 2014-01-24-Nucleus-exploit.jar
File size: 13.9 KB ( 14234 bytes )
MD5 hash: 2014-01-24-Nuclear-Java-exploit.jar
VirusTotal link: https://www.virustotal.com/en/file/324df14bbb80c0b6dd0b13d96732c8647d20b470309d7e161c7068b7e5213265/analysis/
Detection ratio: 2 / 50
First submission: 2014-01-24 04:38:46 GMT

File name: 2014-01-24-Nuclear-EXE-payload.exe
File size: 344.0 KB ( 352256 bytes )
MD5 hash: 3c2d3d94b9e47f5c72dab9a8d62a58a2
VirusTotal link: https://www.virustotal.com/en/file/0c1ecbdcf144a8f28f88edef7221426f613124c8da5a84dc33975eca13a2d90c/analysis/
Detection ratio: 20 / 50
First submission: 2014-01-23 10:29:05 GMT

Once again, here are the associated files:

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.