2014-06-15 - NUCLEAR EK FROM 5.45.179.4 - CERTIFICAT.ENGLEWOODFLORIDAREALTOR.COM

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-15-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-15-Nuclear-EK-malware.zip

 

CHAIN OF EVENTS

NUCLEAR EK:

• 02:09:04 UTC - 172.16.165.135:50097 - 5.45.179.4:80 - certificat.englewoodfloridarealtor.com - GET /3885aedbt7ju.html
• 02:09:17 UTC - 172.16.165.135:50107 - 5.45.179.4:80 - certificat.englewoodfloridarealtor.com - GET /2582691206/3/1402777200.jar
• 02:09:17 UTC - 172.16.165.135:50108 - 5.45.179.4:80 - certificat.englewoodfloridarealtor.com - GET /2582691206/3/1402777200.jar
• 02:09:17 UTC - 172.16.165.135:50108 - 5.45.179.4:80 - certificat.englewoodfloridarealtor.com - GET /2582691206/3/1402777200.jar
• 02:09:18 UTC - 172.16.165.135:50108 - 5.45.179.4:80 - certificat.englewoodfloridarealtor.com - GET /f/3/1402777200/2582691206/2
• 02:09:18 UTC - 172.16.165.135:50108 - 5.45.179.4:80 - certificat.englewoodfloridarealtor.com - GET /f/3/1402777200/2582691206/2/2

POST-INFECTION TRAFFIC:

• 02:10:25 UTC - 172.16.165.135:50117 - 84.19.191.164:80 - market.SBPVSISTERCITY.ORG - POST /es/cambios.php
• Also saw repeated DNS queries for:   carbon-fox.su

 

MALWARE

• Java exploit:   2014-06-15-Nuclear-EK-java-exploit.jar   (Virus total link)
• Malware payload 1 of 2:   2014-06-15-Nuclear-EK-malware-payload-01.exe   (Virus total link)
• Malware payload 2 of 2:   2014-06-15-Nuclear-EK-malware-payload-02.exe   (Virus total link)

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

• 2014-06-15 02:07:30 UTC - 172.16.165.135:50107 - 5.45.179.4:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-06-15 02:07:31 UTC - 172.16.165.135:50108 - 5.45.179.4:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-06-15 02:07:32 UTC - 5.45.179.4:80 - 172.16.165.135:50108 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)
• 2014-06-15 02:08:39 UTC - 172.16.165.135:50117 - 84.19.191.164:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
• 2014-06-15 02:08:39 UTC - 84.19.191.164:80 - 172.16.165.135:50117 - ETPRO TROJAN Fareit/Pony Downloader CnC response (sid:2805976)

Sourcefire VRT ruleset:

• 2014-06-15 02:07:30 UTC - 172.16.165.135:50107 - 5.45.179.4:80 - EXPLOIT-KIT Nuclear exploit kit outbound jar request (sid:30219)
• 2014-06-15 02:07:31 UTC - 5.45.179.4:80 - 172.16.165.135:50108 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 2014-06-15 02:07:31 UTC - 172.16.165.135:50108 - 5.45.179.4:80 - EXPLOIT-KIT Nuclear exploit kit outbound payload request (sid:30220)
• 2014-06-15 02:07:31 UTC - 5.45.179.4:80 - 172.16.165.135:50108 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)
• 2014-06-15 02:07:31 UTC - 5.45.179.4:80 - 172.16.165.135:50108 - EXPLOIT-KIT Multiple exploit kit single digit exe detection (sid:28423)
• 2014-06-15 02:08:39 UTC - 172.16.165.135:50117 - 84.19.191.164:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)

NOTE: These Snort events were taken from Sguil on Security Onion

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-15-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-15-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.