2014-07-04 - NUCLEAR EK ON 5.135.211.48 - EDC.VIRTUALTRAVELEVENTS.NET

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-07-04-Nuclear-EK-both-pcaps.zip
• ZIP of the malware:  2014-07-04-Nuclear-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 54.86.234.106 - www.likemagicbox.com - First redirect (don't know who the original referer was)
• 162.247.12.165 - coaches.toasthousemarket.com - Second redirect
• 5.135.211.48 - edc.virtualtravelevents.net - Nuclear EK
• Various IP addresses - various domains - Post-infection traffic from sandbox analysis

 

REDIRECT CHAIN LEADING TO NUCLEAR EK:

• 00:58:48 UTC - 172.16.165.132:49208 - 54.86.234.106:80 - www.likemagicbox.com - GET /fusionx/www/delivery/afr.php?zoneid=603&cb=34531279210
• 00:58:48 UTC - 172.16.165.132:49212 - 162.247.12.165:80 - coaches.toasthousemarket.com - GET /assets/js/jquery-1.3.1.min.js?ver=3.75.8698

NUCLEAR EK:

• 00:58:49 UTC - 172.16.165.132:49222 - 5.135.211.48:80 - edc.virtualtravelevents.net - GET /58c92896mv39x6.html
• 00:59:00 UTC - 172.16.165.132:49229 - 5.135.211.48:80 - edc.virtualtravelevents.net - GET /3020225639/3/1404414600.jar
• 00:59:01 UTC - 172.16.165.132:49229 - 5.135.211.48:80 - edc.virtualtravelevents.net - GET /f/3/1404414600/3020225639/2
• 00:59:02 UTC - 172.16.165.132:49229 - 5.135.211.48:80 - edc.virtualtravelevents.net - GET /f/3/1404414600/3020225639/2/2

 

PCAP FROM SANDBOX ANALYSIS OF THE MALWARE:

• 01:11:08 UTC - 192.168.56.101:1035 - 134.249.9.253:80 - lare-funer.com - GET /b/shoe/1480
• 01:11:08 UTC - 192.168.56.101:1036 - 134.249.9.253:80 - lare-funer.com - GET /b/shoe/1480
• 01:11:10 UTC - 192.168.56.101:1037 - 68.45.64.5:80 - arrival-tuer.com - GET /mod_articles-78.34/jquery/
• 01:12:20 UTC - 192.168.56.101:1031 - 50.46.181.179:80 - arrival-tuer.com - GET /mod_jshopping-12.32/soft32.dll
• 01:12:26 UTC - 192.168.56.101:1033 - 99.238.33.1:80 - vision-vaper.su - GET /b/eve/b2679c30b956c3c5301871dd
• 01:13:25 UTC - 192.168.56.101:1034 - 99.238.33.1:80 - vision-vaper.su POST /b/opt/394E49754B7EF459404FABAC
• 01:13:26 UTC - 192.168.56.101:1035 - 99.238.33.1:80 - vision-vaper.su - GET /b/letr/B8B05C930D24C00306159FF6
• 01:13:27 UTC - 192.168.56.101:1036 - 31.192.209.243:8080 - 31.192.209.243:8080 - POST /b/opt/99076BD6C7D87019CCE92FEC
• 01:13:28 UTC - 192.168.56.101:1037 - 31.192.209.243:8080 - 31.192.209.243:8080 - GET /b/letr/3A5E7D65AB927416A0A32BE3
• 01:13:28 UTC - 192.168.56.101:1038 - 194.38.104.218:443 - POST /b/opt/2174CE4ED7882393DCB97C66
• 01:13:28 UTC - 192.168.56.101:1039 - 194.38.104.218:443 - POST /b/req/F92E8B58573E4A535C0F15A6

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-07-04-Nuclear-EK-java-exploit.jar
File size:  11.1 KB ( 11365 bytes )
MD5 hash:  3bbf5967da5b854ae3103722e69f5437
Detection ratio:  2 / 54
First submission:  2014-07-04 01:08:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d57f9b53c89bfa09272eb92e7a6d238a9b35c6db8910195d82dc5604b348f2fe/analysis/

 

MALWARE PAYLOAD

File name:  2014-07-04-Nuclear-EK-malware-payload.exe
File size:  132.5 KB ( 135680 bytes
MD5 hash:  bf523d17c9ee2fffd0dae1431a729927
Detection ratio:  3 / 54
First submission:  2014-07-04 01:08:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e2adbf56f9aee4711b296eb0ce62afda1e97235ae95fb16d511e8629d6850b8e/analysis/
Malwr link:  https://malwr.com/analysis/MmQwMGMzMzdkYmRkNGEwN2EwZDBiN2I4YjgzZGU4MWY/

 

FOLLOW-UP MALWARE

File name:  2014-07-04-Nuclear-EK-post-infection-malware.exe
File size:  165.0 KB ( 168968 bytes )
MD5 hash:  0bdf4a4c27fe59b370e4cce0db3bb502
Detection ratio:  10 / 54
First submission:  2014-07-04 01:28:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e14f03337a7d9963a56d5f3ca7dca15cb8d149c96da03f8707b400a1a4ee8220/analysis/
Malwr link:  https://malwr.com/analysis/NmE0ZGVlNDE1ZWZmNDk1MzgzYzExOTNmMGM0MzcyZDQ/

 

SNORT EVENTS FROM THE INITIAL INFECTION

Emerging Threats and ETPRO rulesets (not including ET INFO or ET POLICY signatures):

• 172.16.165.132:49212 - 162.247.12.165:80 - ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct (sid:2018454)
• 5.135.211.48:80 - 172.16.165.132:49222 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014 (sid:2018595)
• 172.16.165.132:49229 - 5.135.211.48:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 172.16.165.132:49229 - 5.135.211.48:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 5.135.211.48:80 - 172.16.165.132:49229 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)

Sourcefire VRT ruleset:

• 5.135.211.48:80 - 172.16.165.132:49229 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 172.16.165.132:49229 - 5.135.211.48:80 - EXPLOIT-KIT Nuclear exploit kit outbound payload request (sid:30220)
• 5.135.211.48:80 - 172.16.165.132:49229 - FILE-EXECUTABLE download of executable content (sid:11192)
• 5.135.211.48:80 - 172.16.165.132:49229 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)
• 5.135.211.48:80 - 172.16.165.132:49229 - EXPLOIT-KIT Multiple exploit kit single digit exe detection (sid:28423)
• 172.16.165.132:49229 - 5.135.211.48:80 - EXPLOIT-KIT Nuclear exploit kit outbound jar request (sid:30219)

NOTE: These Snort events were taken from Sguil on Security Onion

 

SNORT EVENTS FROM SANDBOX ANALYSIS OF THE MALWARE

Emerging Threats and ETPRO rulesets (not including ET INFO or ET POLICY signatures):

• 2014-07-04 00:11:08 UTC - 192.168.56.101:1035 - 134.249.9.253:80 - [1:2807742:1] ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin
• 2014-07-04 00:11:08 UTC - 192.168.56.101:1036 - 134.249.9.253:80 - [1:2807742:1] ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin
• 2014-07-04 00:11:11 UTC - 68.45.64.5:80 - 192.168.56.101:1037 - [1:2008438:7] ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
• 2014-07-04 00:12:20 UTC - 192.168.56.101:1031 - 50.46.181.179:80 - [1:2010706:6] ET USER_AGENTS Internet Explorer 6 in use - Significant Security Risk
• 2014-07-04 00:12:26 UTC - 192.168.56.101:1033 - 99.238.33.1:80 - [1:2018096:1] ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon
• 2014-07-04 00:12:27 UTC - 99.238.33.1:80 - 192.168.56.101:1033 - [1:2018097:1] ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement
• 2014-07-04 00:13:25 UTC - 192.168.56.101:1034 - 99.238.33.1:80 - [1:2018098:2] ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon
• 2014-07-04 00:13:27 UTC - 192.168.56.101:1036 - 31.192.209.243:8080 - [1:2018098:2] ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon

Sourcefire VRT ruleset:

• 2014-07-04 00:11:11 UTC - 68.45.64.5:80 - 192.168.56.101:1037 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP
• 2014-07-04 00:11:11 UTC - 68.45.64.5:80 - 192.168.56.101:1037 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-07-04 00:11:11 UTC - 68.45.64.5:80 - 192.168.56.101:1037 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-07-04 00:11:11 UTC - 68.45.64.5:80 - 192.168.56.101:1037 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-07-04 00:12:24 UTC - 192.168.56.101:1025 - 192.168.56.1:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• 2014-07-04 00:12:26 UTC - 192.168.56.101:1033 - 99.238.33.1:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-04 00:13:25 UTC - 192.168.56.101:1034 - 99.238.33.1:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-04 00:13:26 UTC - 192.168.56.101:1035 - 99.238.33.1:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-04 00:13:27 UTC - 192.168.56.101:1036 - 31.192.209.243:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-04 00:13:28 UTC - 192.168.56.101:1037 - 31.192.209.243:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection

NOTE: These Snort events were taken by reading the PCAP using Snort 2.9.6.0 on Ubuntu 14.04 LTS.  This setup has the same rulesets used on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-07-04-Nuclear-EK-both-pcaps.zip
• ZIP of the malware:  2014-07-04-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.