2014-08-22 - NUCLEAR EK FROM 87.117.255.66 - LIMITED.MARRIAGEAMERICANET.COM

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-08-22-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-22-Nuclear-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 66.232.112.72 - www.onlinenewspapers.com - Initial website
• 66.232.112.73 - c.ic.com.au - Ad traffic with malicious link
• 64.187.226.243 - rb.northlasvegaswater.com - Malvertisement redirect
• 87.117.255.66 - limited.marriageamericanet.com - Nuclear EK
• 81.162.67.82 / 91.246.6.193 / 109.165.99.28 - raing-gerut.su - Post-infection traffic - Zemot callback
• 71.204.29.102 - dients-lihuret.su - Post-infection traffic - Zemot callback

 

COMPROMISED WEBSITE AND MALICIOUS AD CHAIN:

• 00:25:30 UTC - 172.16.165.133:49169 - 66.232.112.72:80 - www.onlinenewspapers.com - GET /
• 00:25:35 UTC - 172.16.165.133:49192 - 66.232.112.73:80 - c.ic.com.au - GET /openx/www/delivery/ajs.php?zoneid=132&cb=26613150949&charset=utf-8&loc=
  http%3A//www.onlinenewspapers.com/&referer=http%3A//www.google.co.uk/url%3Furl%3Dhttp%3A//www.onlinenewspapers.com/%26rct%3Dj%26frm%3D1%26
  q%3D%26esrc%3Ds%26sa%3DU%26ei%3DT432U5jONM3oaK3jgJgP%26ved%3D0CBUQFjAA%26usg%3DAFQjCNGo69a3jKwJTfvLeJP5H2a0OY9lrg
• 00:25:35 UTC - 172.16.165.133:49192 - 66.232.112.73:80 - c.ic.com.au - GET /openx/www/delivery/lg.php?bannerid=327&campaignid=191&zoneid=132&loc=
  1&referer=http%3A%2F%2Fwww.onlinenewspapers.com%2F&cb=c68f3e7f6d
• 00:25:36 UTC - 172.16.165.133:49215 - 64.187.226.243:80 - rb.northlasvegaswater.com - GET /js/media/html5-min.js?ver=4.85.2709

 

NUCLEAR EK:

• 00:25:36 UTC - 172.16.165.133:49230 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /aebaec92bpo.html
• 00:25:38 UTC - 172.16.165.133:49230 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /1483443039/3/1408645260.swf
• 00:25:39 UTC - 172.16.165.133:49230 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /f/3/1408645260/1483443039/7
• 00:25:47 UTC - 172.16.165.133:49230 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /1483443039/3/1408645260.pdf
• 00:25:48 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /1483443039/3/1408645260.jar
• 00:25:48 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /1483443039/3/1408645260.jar
• 00:25:49 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /f/3/1408645260/1483443039/2
• 00:25:49 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /f/3/1408645260/1483443039/2/2
• 00:25:58 UTC - 172.16.165.133:49230 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /1483443039/3/1408645260.htm
• 00:25:59 UTC - 172.16.165.133:49230 - 87.117.255.66:80 - limited.marriageamericanet.com - GET /f/3/1408645260/1483443039/5/x00000700080150050f0304
  045106565601;1;5

 

POST-INFECTION TRAFFIC:

• 00:25:42 UTC - 172.16.165.133:49245 - 109.165.99.28:80 - raing-gerut.su - GET /b/shoe/1480   [repeats several times]
• 00:25:50 UTC - 172.16.165.133:49258 - 91.246.6.193:80 - raing-gerut.su - GET /b/shoe/1480   [repeats several times]
• 00:26:05 UTC - 172.16.165.133:49294 - 81.162.67.82:80 - raing-gerut.su - GET /b/shoe/1480   [repeats several times]
• 00:26:29 UTC - 172.16.165.133:49370 - 71.204.29.102:80 - dients-lihuret.su - GET /mod_articles-login-985.658/jquery/   [repeats several times]
• 00:29:23 UTC - 172.16.165.133:49471 - 71.204.29.102:80 - dients-lihuret.su - GET /mod_articles-login-985.658/ajax/   [repeats several times]

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-22-Nuclear-EK-flash-exploit.swf
File size:  5.6 KB ( 5743 bytes )
MD5 hash:  da10fc6b287719bef50de61187697e2d
Detection ratio:  2 / 55
First submission:  2014-08-22 00:44:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/027c853542568afdcc0018363665a6ac7d3123e83c709e874fc7a77160e9511d/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-22-Nuclear-EK-java-exploit.jar
File size:  12.1 KB ( 12356 bytes )
MD5 hash:  87b0838601967e55a2301d54d455a214
Detection ratio:  4 / 55
First submission:  2014-08-22 00:44:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fe5a0e866fedf8d8fba722f9aca42bb6dddfb9a3971011e169c52ea763d483a/analysis/

 

PDF EXPLOIT:

File name:  2014-08-22-Nuclear-EK-pdf-exploit.pdf
File size:  9.5 KB ( 9706 bytes )
MD5 hash:  fa121ccd1b6a9de986c4b21db674d6fd
Detection ratio:  2 / 54
First submission:  2014-08-22 00:44:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/829757ee803b7cbe39054499368c9cac07462d566237a1ee0f70c609fd30eac8/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-22-Nuclear-EK-malware-payload.exe
File size:  100.4 KB ( 102771 bytes )
MD5 hash:  c13cbaa70c7a0709d86d16242179df68
Detection ratio:  1 / 55
First submission:  2014-08-22 00:45:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b92c749b42ad5ecb846e319a3eed7871e38bdc75722b9cd324e9ecea0f0b279f/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-08-22 00:25:47 UTC - 172.16.165.133:49248 - 109.165.99.28:80 - ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
• 2014-08-22 00:25:47 UTC - 172.16.165.133:49248 - 109.165.99.28:80 - ET TROJAN Win32/Zemot Checkin (sid:2018643 and 2018644)
• 2014-08-22 00:25:48 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-08-22 00:25:49 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-08-22 00:25:49 UTC - 87.117.255.66:80 - 172.16.165.133:49252 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
• 2014-08-22 00:25:49 UTC - 87.117.255.66:80 - 172.16.165.133:49252 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)
• 2014-08-22 00:25:49 UTC - 87.117.255.66:80 - 172.16.165.133:49252 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 2014-08-22 00:25:34 UTC - 172.16.165.2:53 - 172.16.165.133:various - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (x13)
• 2014-08-22 00:25:39 UTC - 172.16.165.133:various - 87.117.255.66:80 - [1:30220:2] EXPLOIT-KIT Nuclear exploit kit outbound payload request (x4)
• 2014-08-22 00:25:39 UTC - 87.117.255.66:80 - 172.16.165.133:various - [1:11192:16] FILE-EXECUTABLE download of executable content (x3)
• 2014-08-22 00:25:39 UTC - 87.117.255.66:80 - 172.16.165.133:various - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download (x3)
• 2014-08-22 00:25:39 UTC - 87.117.255.66:80 - 172.16.165.133:various - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x4)
• 2014-08-22 00:25:39 UTC - 87.117.255.66:80 - 172.16.165.133:various - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x3)
• 2014-08-22 00:25:40 UTC - 172.16.165.133:various - 172.16.165.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x10)
• 2014-08-22 00:25:48 UTC - 172.16.165.133:49252 - 87.117.255.66:80 - [1:30219:2] EXPLOIT-KIT Nuclear exploit kit outbound jar request (x2)
• 2014-08-22 00:25:48 UTC - 87.117.255.66:80 - 172.16.165.133:49252 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt (x2)
• 2014-08-22 00:25:49 UTC - 87.117.255.66:80 - 172.16.165.133:49252 - [1:25042:3] EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-08-22-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-22-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.