2014-06-19 - NUCLEAR EK FROM 5.135.28.118 - 2624633428-6.DISBARMENTSCORE.CO7.US

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-19-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-19-Nuclear-EK-malware.zip

NOTES:

• VirusTotal indicates the Flash exploit used in this traffic is a CVE-2014-0515 Flash exploit.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 95.211.188.216 - stat.litecsys.com - First ad redirect
• 95.211.188.217 - static.sumibi.org - Second ad redirect
• 5.135.28.118 - 4e63f29dvtlp.disbarmentscore.co7.us and 2624633428-6.disbarmentscore.co7.us - Nuclear EK

AD TRAFFIC REDIRECTING TO NUCLEAR EK:

• 15:31:59 UTC - 192.168.204.227:50161 - 95.211.188.216:80 - stat.litecsys.com - GET /d2.php?ds=true&dr=7519651950
• 15:32:00 UTC - 192.168.204.227:50175 - 95.211.188.217:80 - static.sumibi.org - HEAD /pop2.php?acc=%F1%1C%B8%ABs7A%7Dk%21%A5%B0J%AC%A0%255%EE
  %0DZ1Z%0D9&nrk=8596163981
• 15:32:01 UTC - 192.168.204.227:50175 - 95.211.188.217:80 - static.sumibi.org - GET /pop2.php?acc=%F1%1C%B8%ABs7A%7Dk%21%A5%B0J%AC%A0%255%EE
  %0DZ1Z%0D9&nrk=8596163981

NUCLEAR EK:

• 15:32:02 UTC - 192.168.204.227:50184 - 5.135.28.118:80 - 4e63f29dvtlp.disbarmentscore.co7.us - GET /
• 15:32:08 UTC - 192.168.204.227:50186 - 5.135.28.118:80 - 2624633428-6.disbarmentscore.co7.us - GET /1403171040.swf
• 15:32:15 UTC - 192.168.204.227:50191 - 5.135.28.118:80 - 2624633428-6.disbarmentscore.co7.us - GET /1403171040.jar
• 15:32:16 UTC - 192.168.204.227:50191 - 5.135.28.118:80 - 2624633428-6.disbarmentscore.co7.us - GET /f/1403171040/2
• 15:32:18 UTC - 192.168.204.227:50191 - 5.135.28.118:80 - 2624633428-6.disbarmentscore.co7.us - GET /f/1403171040/2/2

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-19-Nuclear-EK-flash-exploit.swf
File size:  4.0 KB ( 4062 bytes )
MD5 hash:  f95006970f34a6ca5bcd0b32b92dd48d
Detection ratio:  5 / 54
First submission:  2014-06-18 09:07:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/179c76bab67a75911b537abcb968cbd7ccbe42f212eab5d91b484ac24432064a/analysis/

NOTE: 3 of the 5 Antivirus organizations in this VirusTotal entry have identified the Flash exploit as CVE-2014-0515

 

JAVA EXPLOIT

File name:  2014-06-19-Nuclear-EK-java-exploit.jar
File size:  4.0 KB ( 4062 bytes )
MD5 hash:  f9c0027ccaeefa616e392132b02fbce7
Detection ratio:  2 / 54
First submission:  2014-06-19 00:22:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/69bf8fdc5510b6ee3c624d5b58043466aebb3301e1ae9ce96f66d7abc883c4fe/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-19-Nuclear-EK-malware-payload.exe
File size:  217.0 KB ( 222208 bytes )
MD5 hash:  87223f535afd8b11dd79c6f39fc059d9
Detection ratio:  4 / 52
First submission:  2014-06-19 16:40:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0282b70848a917cdeb0900ae67ba12fd051c6b147484e34b312198183a12b7b1/analysis/
Malwr link:  https://malwr.com/analysis/YTQzM2M0ZGY3ZGNjNGFlZmFhMzAxODViY2JhYjIwM2Y/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

• 5.135.28.118:80 - 192.168.204.227:50186 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
• 192.168.204.227:50191 - 5.135.28.118:80 - ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura) (sid:2017199)
• 192.168.204.227:50191 - 5.135.28.118:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 192.168.204.227:50191 - 5.135.28.118:80 - ET CURRENT_EVENTS FlimKit Jar URI Struct (sid:2017152)
• 5.135.28.118:80 - 192.168.204.227:50191 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 192.168.204.227:50191 - 5.135.28.118:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)

Sourcefire VRT ruleset:

• 192.168.204.227:50186 - 5.135.28.118:80 - EXPLOIT-KIT Nuclear exploit kit outbound swf request (sid:31237)
• 192.168.204.227:50191 - 5.135.28.118:80 - EXPLOIT-KIT Nuclear exploit kit outbound jar request (sid:30219)
• 5.135.28.118:80 - 192.168.204.227:50191 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 192.168.204.227:50191 - 5.135.28.118:80 - EXPLOIT-KIT Nuclear exploit kit outbound payload request (sid:30220)
• 5.135.28.118:80 - 192.168.204.227:50191 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)
• 5.135.28.118:80 - 192.168.204.227:50191 - EXPLOIT-KIT Multiple exploit kit single digit exe detection (sid:28423)

NOTE: These Snort events were taken from Sguil on Security Onion

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-19-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-19-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

p>Click here to return to the main page.