2014-06-22 - NUCLEAR EK FROM 5.101.140.53 - CROWDFUNDING.MAZATLAN-MAZTERS.COM

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-22-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-22-Nuclear-EK-malware.zip

 

CHAIN OF EVENTS

• 01:12:58 UTC - 172.16.165.135:50881 - 5.101.140.53:80 - crowdfunding.mazatlan-mazters.com - GET /54659720vcxg.html
• 01:13:09 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - crowdfunding.mazatlan-mazters.com - GET /1066851726/3/1403378640.jar
• 01:13:10 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - crowdfunding.mazatlan-mazters.com - GET /f/3/1403378640/1066851726/2
• 01:13:10 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - crowdfunding.mazatlan-mazters.com - GET /f/3/1403378640/1066851726/2/2

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-06-22-Nuclear-EK-java-exploit.jar
File size:  12.2 KB ( 12493 bytes )
MD5 hash:  0cb56ca4e9d3bd7f9ff8fe9c328cef31
Detection ratio:  1 / 53
First submission:  2014-06-22 01:25:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/19ff7f906b844d9b20f7e73ecdecf0f4600ae338d510a9a2f69244319e7047e5/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-22-Nuclear-EK-malware-payload.exe
File size:  103.8 KB ( 106320 bytes )
MD5 hash:  2ad148c1efc1b9d706dc99a45e760690
Detection ratio:  1 / 53
First submission:  2014-06-22 01:25:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d64e7412f28ef90e58d4464153b19416c1e6e2568aa3e9dc2c335b89070b4eaf/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

• 2014-06-22 01:13:09 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-06-22 01:13:10 UTC - 5.101.140.53:80 - 172.16.165.135:50889 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 2014-06-22 01:13:10 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)

Sourcefire VRT ruleset:

• 2014-06-22 01:13:09 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - EXPLOIT-KIT Nuclear exploit kit outbound jar request (sid:30219)
• 2014-06-22 01:13:10 UTC - 5.101.140.53:80 - 172.16.165.135:50889 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 2014-06-22 01:13:10 UTC - 172.16.165.135:50889 - 5.101.140.53:80 - EXPLOIT-KIT Nuclear exploit kit outbound payload request (sid:30220)
• 2014-06-22 01:13:10 UTC - 5.101.140.53:80 - 172.16.165.135:50889 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)
• 2014-06-22 01:13:10 UTC - 5.101.140.53:80 - 172.16.165.135:50889 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• 2014-06-22 01:13:10 UTC - 5.101.140.53:80 - 172.16.165.135:50889 - EXPLOIT-KIT Multiple exploit kit single digit exe detection (sid:28423)

NOTE: These Snort events were taken from Sguil on Security Onion

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-22-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-22-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.