Malware-Traffic-Analysis.net - 2014-06-25

2014-06-25 - NUCLEAR EK FROM 185.14.31.37 - 4607C15APBMYK.WEALEH.UNI.ME - 2453099568-6.WEALEH.UNI.ME

ASSOCIATED FILES:

ZIP of PCAP(s): 2014-06-25-Nuclear-EK-traffic.pcap.zip
ZIP of the malware: 2014-06-25-Nuclear-EK-malware.zip

NOTES:

Today's malware payload generated the same Shylock CnC traffic as seen in yesterday's Angler EK infection (link).
This blog entry is dedicated to Malwageddon... Keep fighting the good fight!

Today, a search on Clean MX showed 1,104 URLs from askmen.com have been reported as bad since 2012-12-31. These were quickly resolved, but new ones kept getting reported. Today, a visit to www.askmen.com generated Nuclear EK traffic that delivered Shylock malware.

ASSOCIATED DOMAINS

INFECTION CHAIN:

23.61.194.218 - www.askmen.com - Compromised website
95.211.188.216 - stat.litecsys.com - First domain in the redirect chain
95.211.188.217 - static.sumibi.org - Second domain in the redirect chain
185.14.31.37 - 4607c15apbmyk.wealeh.uni.me and 2453099568-6.wealeh.uni.me - Nuclear EK

DNS SERVERS USED BY THE MALWARE:

8.8.8.8 and 8.8.4.4 (Google DNS)
208.67.222.220 and 108.67.222.222 (OpenDNS)

DNS QUERIES ISSUED BY THE MALWARE:

ambi.cc
edal.cc
express-shippingus.net
modern-shipping.biz
useushippinginc.com
sted.cc

IP ADDRESSES SEEN IN THE POST-INFECTION HTTPS TRAFFIC:

185.26.146.36
189.127.48.11
216.3.111.60

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT CHAIN:

16:50:44 UTC - 192.168.204.211:49183 - 23.61.194.218:80 - www.askmen.com - GET /
16:50:46 UTC - 192.168.204.211:49185 - 23.61.194.218:80 - www.askmen.com - GET /js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js
16:50:49 UTC - 192.168.204.211:49192 - 95.211.188.216:80 - stat.litecsys.com - GET /d2.php?ds=true&dr=1201283312
16:50:52 UTC - 192.168.204.211:49201 - 95.211.188.217:80 - static.sumibi.org - HEAD /pop2.php?acc=%0Ar%B5%0Fo%3A%18%F21%2F%A5%EB%7B%EBGJ%23
%7Ed%BE3%8D%D4T&nrk=3040270654
16:50:54 UTC - 192.168.204.211:49201 - 95.211.188.217:80 - static.sumibi.org - GET /pop2.php?acc=%0Ar%B5%0Fo%3A%18%F21%2F%A5%EB%7B%EBGJ%23
%7Ed%BE3%8D%D4T&nrk=3040270654

NUCLEAR EK:

16:50:57 UTC - 192.168.204.211:49222 - 185.14.31.37:80 - 4607c15apbmyk.wealeh.uni.me - GET /
16:51:04 UTC - 192.168.204.211:49226 - 185.14.31.37:80 - 2453099568-6.wealeh.uni.me - GET /1403694180.swf
16:51:15 UTC - 192.168.204.211:49235 - 185.14.31.37:80 - 2453099568-6.wealeh.uni.me - GET /1403694180.jar
16:51:16 UTC - 192.168.204.211:49235 - 185.14.31.37:80 - 2453099568-6.wealeh.uni.me - GET /f/1403694180/2
16:51:25 UTC - 192.168.204.211:49235 - 185.14.31.37:80 - 2453099568-6.wealeh.uni.me - GET /f/1403694180/2/2

POST-INFECTION TRAFFIC:

16:51:54 - 192.168.204.211:60474 - 8.8.8.8:53 - Standard query 0xb47d A ambi.cc
16:51:55 - 8.8.8.8:53 - 192.168.204.211:60474 Standard query response 0xb47d A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:51:55 - 192.168.204.211:49239 - 189.127.48.11:443 - Client Hello
16:51:58 - 192.168.204.211:49241 - 189.127.48.11:443 - Client Hello
16:52:13 - 192.168.204.211:54285 - 8.8.8.8:53 - Standard query 0x34f3 A ambi.cc
16:52:13 - 192.168.204.211:56163 - 8.8.8.8:53 - Standard query 0xb7af A ambi.cc
16:52:13 - 8.8.8.8:53 - 192.168.204.211:54285 - Standard query response 0x34f3 A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:13 - 192.168.204.211:55258 - 8.8.8.8:53 - Standard query 0x088d A ambi.cc
16:52:13 - 192.168.204.211:55099 - 8.8.8.8:53 - Standard query 0xbec8 A ambi.cc
16:52:13 - 8.8.8.8:53 - 192.168.204.211:56163 - Standard query response 0xb7af A 189.127.48.11 A 216.3.111.60 A 185.26.146.36
16:52:13 - 8.8.8.8:53 - 192.168.204.211:55258 - Standard query response 0x088d A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:13 - 8.8.8.8:53 - 192.168.204.211:55099 - Standard query response 0xbec8 A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:14 - 192.168.204.211:58284 - 8.8.8.8:53 - Standard query 0x9951 A ambi.cc
16:52:14 - 192.168.204.211:58670 - 8.8.8.8:53 - Standard query 0x07f3 A ambi.cc
16:52:14 - 8.8.8.8:53 - 192.168.204.211:58284 - Standard query response 0x9951 A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:14 - 8.8.8.8:53 - 192.168.204.211:58670 - Standard query response 0x07f3 A 216.3.111.60 A 185.26.146.36 A 189.127.48.11
16:52:14 - 192.168.204.211:49246 - 189.127.48.11:443 - Client Hello
16:52:14 - 192.168.204.211:49247 - 189.127.48.11:443 - Client Hello
16:52:19 - 192.168.204.211:49250 - 216.3.111.60:443 - Client Hello
16:52:19 - 192.168.204.211:49251 - 189.127.48.11:443 - Client Hello
16:52:19 - 192.168.204.211:49252 - 189.127.48.11:443 - Client Hello
16:52:19 - 192.168.204.211:49253 - 189.127.48.11:443 - Client Hello
16:52:19 - 192.168.204.211:49254 - 216.3.111.60:443 - Client Hello
16:52:20 - 192.168.204.211:49255 - 189.127.48.11:443 - Client Hello
16:52:21 - 192.168.204.211:49256 - 189.127.48.11:443 - Client Hello
16:52:21 - 192.168.204.211:49257 - 189.127.48.11:443 - Client Hello
16:52:21 - 192.168.204.211:50370 - 8.8.8.8:53 - Standard query 0x383e A ambi.cc
16:52:21 - 8.8.8.8:53 - 192.168.204.211:50370 - Standard query response 0x383e A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:24 - 192.168.204.211:49259 - 189.127.48.11:443 - Client Hello
16:52:25 - 192.168.204.211:49260 - 189.127.48.11:443 - Client Hello
16:52:26 - 192.168.204.211:49261 - 189.127.48.11:443 - Client Hello
16:52:26 - 192.168.204.211:49262 - 189.127.48.11:443 - Client Hello
16:52:36 - 192.168.204.211:59218 - 8.8.8.8:53 - Standard query 0xd9da A express-shippingus.net
16:52:36 - 8.8.8.8:53 - 192.168.204.211:59218 - Standard query response 0xd9da A 185.26.146.36 A 216.3.111.60 A 189.127.48.11
16:52:37 - 192.168.204.211:49264 - 185.26.146.36:443 - Client Hello
16:52:38 - 192.168.204.211:53504 - 8.8.8.8:53 - Standard query 0x73b2 A ambi.cc
16:52:38 - 8.8.8.8:53 - 192.168.204.211:53504 - Standard query response 0x73b2 A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:38 - 192.168.204.211:49267 - 189.127.48.11:443 - Client Hello
16:52:40 - 192.168.204.211:49266 - 185.26.146.36:443 - Client Hello
16:52:44 - 192.168.204.211:49268 - 189.127.48.11:443 - Client Hello
16:52:45 - 192.168.204.211:57912 - 8.8.8.8:53 - Standard query 0x2eab A ambi.cc
16:52:45 - 8.8.8.8:53 - 192.168.204.211:57912 - Standard query response 0x2eab A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:46 - 192.168.204.211:49270 - 189.127.48.11:443 - Client Hello
16:52:46 - 192.168.204.211:49458 - 8.8.8.8:53 - Standard query 0x2b4f A express-shippingus.net
16:52:46 - 8.8.8.8:53 - 192.168.204.211:49458 - Standard query response 0x2b4f A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:47 - 192.168.204.211:49272 - 189.127.48.11:443 - Client Hello
16:52:47 - 192.168.204.211:49273 - 189.127.48.11:443 - Client Hello
16:52:48 - 192.168.204.211:49274 - 189.127.48.11:443 - Client Hello
16:52:51 - 192.168.204.211:64572 - 8.8.8.8:53 - Standard query 0x90c1 A useushippinginc.com
16:52:52 - 192.168.204.211:64572 - 8.8.4.4:53 - Standard query 0x90c1 A useushippinginc.com
16:52:53 - 192.168.204.211:64572 - 208.67.222.220:53 - Standard query 0x90c1 A useushippinginc.com
16:52:55 - 192.168.204.211:64572 - 8.8.8.8:53 - Standard query 0x90c1 A useushippinginc.com
16:52:55 - 192.168.204.211:64572 - 8.8.4.4:53 - Standard query 0x90c1 A useushippinginc.com
16:52:55 - 192.168.204.211:64572 - 208.67.222.220:53 - Standard query 0x90c1 A useushippinginc.com
16:52:55 - 192.168.204.211:64572 - 208.67.222.222:53 - Standard query 0x90c1 A useushippinginc.com
16:52:56 - 8.8.4.4:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 185.26.146.36 A 216.3.111.60 A 189.127.48.11
16:52:56 - 8.8.8.8:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 189.127.48.11 A 216.3.111.60 A 185.26.146.36
16:52:56 - 192.168.204.211:51847 - 8.8.8.8:53 - Standard query 0xfc16 A useushippinginc.com
16:52:57 - 192.168.204.211:51847 - 8.8.4.4:53 - Standard query 0xfc16 A useushippinginc.com
16:52:58 - 192.168.204.211:51847 - 208.67.222.220:53 - Standard query 0xfc16 A useushippinginc.com
16:52:59 - 8.8.4.4:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 185.26.146.36 A 216.3.111.60 A 189.127.48.11
16:52:59 - 8.8.8.8:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 185.26.146.36 A 216.3.111.60 A 189.127.48.11
16:52:59 - 208.67.222.220:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 216.3.111.60 A 189.127.48.11 A 185.26.146.36
16:52:59 - 208.67.222.222:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 189.127.48.11 A 185.26.146.36 A 216.3.111.60
16:52:59 - 208.67.222.220:53 - 192.168.204.211:64572 - Standard query response 0x90c1 A 189.127.48.11 A 216.3.111.60 A 185.26.146.36
16:53:00 - 192.168.204.211:51847 - 8.8.8.8:53 - Standard query 0xfc16 A useushippinginc.com
16:53:00 - 192.168.204.211:51847 - 8.8.4.4:53 - Standard query 0xfc16 A useushippinginc.com
16:53:00 - 192.168.204.211:51847 - 208.67.222.220:53 - Standard query 0xfc16 A useushippinginc.com
16:53:00 - 192.168.204.211:51847 - 208.67.222.222:53 - Standard query 0xfc16 A useushippinginc.com
16:53:01 - 208.67.222.220:53 - 192.168.204.211:51847 - Standard query response 0xfc16 A 185.26.146.36 A 189.127.48.11 A 216.3.111.60
16:53:01 - 8.8.4.4:53 - 192.168.204.211:51847 - Standard query response 0xfc16 A 185.26.146.36 A 216.3.111.60 A 189.127.48.11
16:53:01 - 208.67.222.222:53 - 192.168.204.211:51847 - Standard query response 0xfc16 A 216.3.111.60 A 189.127.48.11 A 185.26.146.36
16:53:01 - 208.67.222.220:53 - 192.168.204.211:51847 - Standard query response 0xfc16 A 189.127.48.11 A 216.3.111.60 A 185.26.146.36
16:53:01 - 8.8.4.4:53 - 192.168.204.211:51847 - Standard query response 0xfc16 A 185.26.146.36 A 216.3.111.60 A 189.127.48.11
16:53:01 - 8.8.8.8:53 - 192.168.204.211:51847 - Standard query response 0xfc16 A 216.3.111.60 A 189.127.48.11 A 185.26.146.36
16:53:02 - 192.168.204.211:49277 - 185.26.146.36:443 - Client Hello
16:53:03 - 192.168.204.211:49278 - 185.26.146.36:443 - Client Hello
16:53:04 - 192.168.204.211:49279 - 185.26.146.36:443 - Client Hello
16:53:05 - 192.168.204.211:49280 - 185.26.146.36:443 - Client Hello
16:53:06 - 192.168.204.211:53965 - 8.8.8.8:53 - Standard query 0x1d69 A modern-shipping.biz
16:53:06 - 8.8.8.8:53 - 192.168.204.211:53965 - Standard query response 0x1d69 A 216.3.111.60 A 189.127.48.11 A 185.26.146.36
16:53:16 - 192.168.204.211:49282 - 216.3.111.60:443 - Client Hello
16:53:16 - 192.168.204.211:49283 - 216.3.111.60:443 - Client Hello
16:53:17 - 192.168.204.211:52704 - 8.8.8.8:53 - Standard query 0xacd2 A modern-shipping.biz
16:53:17 - 8.8.8.8:53 - 192.168.204.211:52704 - Standard query response 0xacd2 A 216.3.111.60 A 189.127.48.11 A 185.26.146.36
16:53:17 - 192.168.204.211:49285 - 216.3.111.60:443 - Client Hello
16:53:19 - 192.168.204.211:52698 - 8.8.8.8:53 - Standard query 0x9b10 A sted.cc
16:53:19 - 8.8.8.8:53 - 192.168.204.211:52698 - Standard query response 0x9b10 A 185.26.146.36 A 189.127.48.11 A 216.3.111.60
16:53:19 - 192.168.204.211:49286 - 216.3.111.60:443 - Client Hello
16:53:22 - 192.168.204.211:49288 - 185.26.146.36:443 - Client Hello
16:53:23 - 192.168.204.211:55444 - 8.8.8.8:53 - Standard query 0x7b99 A sted.cc
16:53:23 - 8.8.8.8:53 - 192.168.204.211:55444 Standard query response 0x7b99 A 185.26.146.36 A 189.127.48.11 A 216.3.111.60
16:53:23 - 192.168.204.211:49289 - 185.26.146.36:443 - Client Hello
16:53:24 - 192.168.204.211:49291 - 185.26.146.36:443 - Client Hello
16:53:25 - 192.168.204.211:49292 - 185.26.146.36:443 - Client Hello
16:53:26 - 192.168.204.211:51451 - 8.8.8.8:53 - Standard query 0x2777 A edal.cc
16:53:26 - 8.8.8.8:53 - 192.168.204.211:51451 - Standard query response 0x2777 A 185.26.146.36 A 189.127.48.11 A 216.3.111.60
16:53:27 - 192.168.204.211:55411 - 8.8.8.8:53 - Standard query 0x1659 A edal.cc
16:53:27 - 8.8.8.8:53 - 192.168.204.211:55411 - Standard query response 0x1659 A 216.3.111.60 A 189.127.48.11 A 185.26.146.36
16:53:27 - 192.168.204.211:49295 - 216.3.111.60:443 - Client Hello
16:53:28 - 192.168.204.211:49296 - 216.3.111.60:443 - Client Hello
16:53:31 - 192.168.204.211:49297 - 185.26.146.36:443 - Client Hello
16:53:36 - 192.168.204.211:49298 - 185.26.146.36:443 - Client Hello

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT ( CVE-2014-0515 )

File name: 2014-06-25-Nuclear-EK-flash-exploit.swf
File size: 4.3 KB ( 4359 bytes )
MD5 hash: 76a24b09e979ae69523e04a75eb2ded4
Detection ratio: 5 / 54
First submission: 2014-06-20 11:17:30 UTC
VirusTotal link: https://www.virustotal.com/en/file/7cf71bbc539f953b33de154576cec5622d6abec897008253fd5243cde470b636/analysis/

JAVA EXPLOIT ( CVE-2013-2465 )

File name: 2014-06-25-Nuclear-EK-java-exploit.jar
File size: 12.2 KB ( 12520 bytes )
MD5 hash: 14bb3b86bb7060017c8182c89db65280
Detection ratio: 6 / 54
First submission: 2014-06-25 00:43:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/5708c2d127392535fac67535d14507a78729d041068fd27cca93ab8b335b96f3/analysis/

MALWARE PAYLOAD ( CAPHAW / SHYLOCK )

File name: 2014-06-25-Nuclear-EK-malware-payload.exe
File size: 452.0 KB ( 462848 bytes )
MD5 hash: 2cf0ea20417e794f7f2f1a1e471ffd12
Detection ratio: 3 / 54
First submission: 2014-06-25 19:32:14 UTC
VirusTotal link: https://www.virustotal.com/en/file/d25ef0e50161b138fb26b46bd939254389ac618163888e89423150807c296484/analysis/
Malwr link: https://malwr.com/analysis/ODdlMTYyYjkyNDMxNGQ0Yzk2OGU1YzI3NTgxMmU3Y2Q/

SNORT EVENTS

185.14.31.37:80 - 192.168.204.211:49222 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014 (sid:2018595)
192.168.204.211:49225 - 74.125.239.27:80 - ET POLICY Outdated Windows Flash Version IE (sid:2014726)
185.14.31.37:80 - 192.168.204.211:49226 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
192.168.204.211:49235 - 185.14.31.37:80 - ET POLICY Vulnerable Java Version 1.7.x Detected (sid:2014297)
192.168.204.211:49235 - 185.14.31.37:80 - ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 4 (sid:2017460)
192.168.204.211:49235 - 185.14.31.37:80 - ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura) (sid:2017199)
192.168.204.211:49235 - 185.14.31.37:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
192.168.204.211:49235 - 185.14.31.37:80 - ET CURRENT_EVENTS FlimKit Jar URI Struct (sid:2017152)
185.14.31.37:80 - 192.168.204.211:49235 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
192.168.204.211:49235 - 185.14.31.37:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
185.14.31.37:80 - 192.168.204.211:49235 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
185.14.31.37:80 - 192.168.204.211:49235 - ET INFO EXE - Served Inline HTTP (sid:2014519)
185.14.31.37:80 - 192.168.204.211:49235 - ET INFO Packed Executable Download (sid:2014819)
185.14.31.37:80 - 192.168.204.211:49235 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:201396)
185.14.31.37:80 - 192.168.204.211:49235 - ET POLICY Java EXE Download (sid:2013037)
185.14.31.37:80 - 192.168.204.211:49235 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)
189.127.48.11:443 - 192.168.204.211:49239 - ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC (sid:2015560)
216.3.111.60:443 - 192.168.204.211:49250 - ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC (sid:2015560)
185.26.146.36:443 - 192.168.204.211:49264 - ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC (sid:2015560)

NOTE: This is from Sguil on Security Onion using the default Emerging Threats open ruleset. I'm still working through some issues using the ET PRO and Sourcefire VRT rulesets on Security Onion, so I ask your patience while I work that out.

HIGHLIGHTS FROM THE TRAFFIC

Step 1 - from the www.askmen.com index page to malicious javascript at www.askmen.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js

Step 2 - from the malicious javascript at www.askmen.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js to
stat.litecsys.com/d2.php?ds=true&dr=1201283312

Step 3 - from stat.litecsys.com/d2.php?ds=true&dr=1201283312 to
static.sumibi.org/pop2.php?acc=%0Ar%B5%0Fo%3A%18%F21%2F%A5%EB%7B%EBGJ%23%7Ed%BE3%8D%D4T&nrk=3040270654

Step 4 - from static.sumibi.org/pop2.php?acc=%0Ar%B5%0Fo%3A%18%F21%2F%A5%EB%7B%EBGJ%23%7Ed%BE3%8D%D4T&nrk=3040270654 to
the Nuclear EK landing page at 4607c15apbmyk.wealeh.uni.me

Nuclear EK delivers CVE-2014-0515 Flash exploit:

Nuclear EK delivers Java exploit:

EXE payload sent after successful Java exploit:

Some of the post-infection traffic from the PCAP in Wireshark:

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAP(s): 2014-06-25-Nuclear-EK-traffic.pcap.zip
ZIP of the malware: 2014-06-25-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.