2014-07-19 - NUCLEAR EK FROM 79.133.219.121 - 141320960-6.EASYPOTENT.CO.VU

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-07-19-Nuclear-EK-all-pcaps.zip
• ZIP of the malware:  2014-07-19-Nuclear-EK-malware.zip

 

PCAPS AND MALWARE:

• I ran the malware payload through the malwr.com sandbox analysis twice, because I couldn't extract the follow-up Rerdom malware from the first pcap.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 79.133.219.121 - 141320960-6.easypotent.co.vu and c659714ddr8i.easypotent.co.vu - Nuclear EK
• Various IP addresses - various domains - Post-infection traffic (see below)

 

NUCLEAR EK:

• 2014-07-19 00:02:27 UTC - 172.16.165.132:49973 - 79.133.219.121:80 - c659714ddr8i.easypotent.co.vu - GET /
• 2014-07-19 00:02:31 UTC - 172.16.165.132:49978 - 79.133.219.121:80 - 141320960-6.easypotent.co.vu - GET /1405706160.swf
• 2014-07-19 00:02:38 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - 141320960-6.easypotent.co.vu - GET /1405706160.jar
• 2014-07-19 00:02:39 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - 141320960-6.easypotent.co.vu - GET /f/1405706160/2
• 2014-07-19 00:02:40 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - 141320960-6.easypotent.co.vu - GET /f/1405706160/2/2

 

POST-INFECTION TRAFFIC FROM THE VM:

• 2014-07-19 00:02:41 UTC - 172.16.165.132:49988 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:02:42 UTC - 172.16.165.132:49989 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:02:50 UTC - 172.16.165.132:49990 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:02:51 UTC - 172.16.165.132:49996 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:02:58 UTC - 172.16.165.132:49998 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:03:04 UTC - 172.16.165.132:49999 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:04:13 UTC - 172.16.165.132:50032 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:04:15 UTC - 172.16.165.132:50033 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:04:22 UTC - 172.16.165.132:50040 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:04:42 UTC - 172.16.165.132:50047 - 178.150.136.252:80 - enjoy-hot.com - GET /b/shoe/75412
• 2014-07-19 00:04:43 UTC - 172.16.165.132:50048 - 188.190.5.162:80 - star-ffee.com - GET /mod_articles-qa/jquery/
• 2014-07-19 00:04:58 UTC - 172.16.165.132:50057 - 188.190.5.162:80 - star-ffee.com - GET /mod_articles-qa/jquery/
• 2014-07-19 00:05:03 UTC - 172.16.165.132:50062 - 188.190.5.162:80 - star-ffee.com - GET /mod_articles-qa/jquery/

 

POST-INFECTION TRAFFIC FROM MALWR.COM SANDBOX ANALYSIS:

• 00:45:33 UTC - 192.168.56.102:1036 - 46.172.192.38:80 - enjoy-hot.com - GET /b/shoe/75412
• 00:45:34 UTC - 192.168.56.102:1037 - 46.172.192.38:80 - enjoy-hot.com - GET /b/shoe/75412
• 00:45:35 UTC - 192.168.56.102:1038 - 134.249.3.254:80 - star-ffee.com - GET /mod_articles-qa/jquery/
• 00:46:09 UTC - 192.168.56.102:1026 - 109.254.81.175:80 - star-ffee.com - GET /mod_jshopping-php/soft32.dll
• 00:46:15 UTC - 192.168.56.102:1033 - 178.236.143.163:80 - vision-vaper.su - GET /b/eve/43a7e6ea4896b91f3c6e439c
• 00:47:13 UTC - 192.168.56.102:1037 - 178.236.143.163:80 - vision-vaper.su - POST /b/opt/CD2EF2264695AD334DA4F2C6
• 00:47:13 UTC - 192.168.56.102:1038 - 178.236.143.163:80 - vision-vaper.su - GET /b/letr/1138EB488BC5A39780F4FC62
• 00:47:15 UTC - 192.168.56.102:1041 - 65.254.49.118:8080 - 65.254.49.118:8080 - POST /b/opt/44203100FBB2BE7AF083E18F
• 00:47:32 UTC - 192.168.56.102:1042 - 65.254.49.118:8080 - 65.254.49.118:8080 - POST /b/req/E5E308C3893C898C820DD679
• 00:47:53 UTC - 192.168.56.102:1043 - 65.254.49.118:8080 - 65.254.49.118:8080 - POST /b/req/D1F2146112BF5CD3198E0326
• 00:47:14 UTC - 192.168.56.102:1039 - 50.57.228.220:443 - POST /b/opt/F2BEA10A7635E6DA7D04B92F
• 00:47:14 UTC - 192.168.56.102:1040 - 50.57.228.220:443 - GET /b/letr/F0399A3C51DDC6665AEC9993
• 00:48:14 UTC - 192.168.56.102:1060 - 65.254.49.118:8080 - 65.254.49.118:8080 - POST /b/opt/384EA98A1A43CABD11729548

• 00:47:55 UTC - 192.168.56.102:1045 - 192.162.19.34:80 - lereve-search.com - GET /
• 00:47:56 UTC - 192.168.56.102:1046 - 192.162.19.34:80 - resorts-search.com - GET /
• followed by other fake search engine click-faud traffic (see 2014-07-19-Nuclear-EK-malware-payload-sandbox-analysis-01.pcap for details)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-19-Nuclear-EK-flash-exploit.swf
File size:  5.8 KB ( 5897 bytes )
MD5 hash:  765f1c63fb0747125e8391392c0e078e
Detection ratio:  4 / 53
First submission:  2014-07-19 00:44:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0c7ea628113061150d1277afce771ace591c57f7721e11f78a8c606cf6cbbe94/analysis/

 

JAVA EXPLOIT:

File name:  2014-07-19-Nuclear-EK-java-exploit.jar
File size:  11.1 KB ( 11367 bytes )
MD5 hash:  b21c14530f4ac483258642d29baa806f
Detection ratio:  1 / 53
First submission:  2014-07-18 20:06:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6d69158e1bebf5fd202ea40c2d70dea6a0c033843df04d9d04d417d62769504/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-19-Nuclear-EK-malware-payload.exe
File size:  96.0 KB ( 98312 bytes )
MD5 hash:  3cbc20e8ce4b4fb47da3cc1c963d41b3
Detection ratio:  1 / 52
First submission:  2014-07-19 00:43:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/957a25e2023721a17fa86d8db8f6985f2817e48bb3fb0dd8efb052c40424aa9a/analysis/
Malwr link:  https://malwr.com/analysis/YjFkYzBiY2Q0ZGVhNGQ1YWJiN2Q5NDFmODhlN2QzZGM/

 

FOLLOW-UP MALWARE FROM MALWR.COM ANALYSIS:

File name:  exe.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  72353b5bd718a4abd964b2612e3dd01d
Detection ratio:  2 / 53
First submission:  2014-07-19 01:28:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e5ad7bec18337e46f45cb67a62f853b5bc31af86ef950c0715d476a9cd7489e4/analysis/
Malwr link:  https://malwr.com/analysis/ZWI0NzQxMmM1YzdmNDI2OThjZjFiYjE1MDRiMmY3MzE/

NOTE:  This is Rerdom, normally saved to the infected computer as UpdateFlashPlayer_[something].exe in the user's AppData\Local\Temp directory.

 

SNORT EVENTS FROM THE VM INFECTION TRAFFIC

 

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not counting ET INFO or ET POLICY signatures):

• 2014-07-19 00:02:27 UTC - 79.133.219.121:80 - 172.16.165.132:49973 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014 (sid:2018595)
• 2014-07-19 00:02:31 UTC - 79.133.219.121:80 - 172.16.165.132:49978 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
• 2014-07-19 00:02:38 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura) (sid:2017199)
• 2014-07-19 00:02:38 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-07-19 00:02:38 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - ET CURRENT_EVENTS FlimKit Jar URI Struct (sid:2017152)
• 2014-07-19 00:02:39 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)
• 2014-07-19 00:02:40 UTC - 172.16.165.132:49988 - 178.150.136.252:80 - ET TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2018643)
• 2014-07-19 00:04:42 UTC - 172.16.165.132:50048 - 188.190.5.162:80 - ET TROJAN Win32/Zemot Checkin (sid:2018644)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 2014-07-19 00:02:31 UTC - 172.16.165.132:49978 - 79.133.219.121:80 - [1:31237:1] EXPLOIT-KIT Nuclear exploit kit outbound swf request
• 2014-07-19 00:02:38 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - [1:30219:2] EXPLOIT-KIT Nuclear exploit kit outbound jar request
• 2014-07-19 00:02:38 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
• 2014-07-19 00:02:39 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - [1:30220:2] EXPLOIT-KIT Nuclear exploit kit outbound payload request
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:25042:3] EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
• 2014-07-19 00:02:39 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-07-19 00:02:40 UTC - 172.16.165.132:49986 - 79.133.219.121:80 - [1:30220:2] EXPLOIT-KIT Nuclear exploit kit outbound payload request
• 2014-07-19 00:02:40 UTC - 79.133.219.121:80 - 172.16.165.132:49986 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-07-19-Nuclear-EK-all-pcaps.zip
• ZIP of the malware:  2014-07-19-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.