Malware-Traffic-Analysis.net - 2014-08-28

2014-08-28 - NUCLEAR EK FROM 80.85.85.71 - NANORAIFA.LOOSECANNON.INFO

ASSOCIATED FILES:

ZIP of the pcap(s): 2014-08-28-Nuclear-EK-traffic.pcap.zip
ZIP file of the malware: 2014-08-28-Nuclear-EK-malware.zip

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

108.174.144.149 - www.dalecarnegie.ca - Compromised website
178.62.156.134 - nikajumet.solutionoptic.com.ar - Redirect
80.85.85.71 - nanoraifa.loosecannon.info - Nuclear EK

COMPROMISED WEBSITE AND REDIRECT:

23:35:04 UTC - 172.16.165.133:49171 - 108.174.144.149:80 - www.dalecarnegie.ca - GET /wp-content/plugins/teachpress/js/frontend.js
23:35:04 UTC - 172.16.165.133:49178 - 178.62.156.134:80 - nikajumet.solutionoptic.com.ar - GET /troisegahol15.html?

NUCLEAR EK:

23:35:07 UTC - 172.16.165.133:49186 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /1228483405/2/1409268720.swf
23:35:08 UTC - 172.16.165.133:49186 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /f/2/1409268720/1228483405/7
23:35:19 UTC - 172.16.165.133:49186 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /1228483405/2/1409268720.pdf
23:35:20 UTC - 172.16.165.133:49193 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /1228483405/2/1409268720.htm
23:35:21 UTC - 172.16.165.133:49194 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /1228483405/2/1409268720.jar
23:35:22 UTC - 172.16.165.133:49186 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /f/2/1409268720/1228483405/5/x000407000700080150050f0304045106565601;1;5
23:36:00 UTC - 172.16.165.133:49202 - 80.85.85.71:80 - nanoraifa.loosecannon.info - GET /1228483405/2/1409268720.jar

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name: 2014-08-28-Nuclear-EK-flash-exploit.swf
File size: 5.7 KB ( 5847 bytes )
MD5 hash: a93d6fb584c3b1dc1fb33149de13e164
Detection ratio: 1 / 54
First submission: 2014-08-29 00:32:36 UTC
VirusTotal link: https://www.virustotal.com/en/file/1ec6476d6ece91f87a846488780ece72b11958593ac1a0d17dd5f882fe90f226/analysis/

JAVA EXPLOIT:

File name: 2014-08-28-Nuclear-EK-java-exploit.jar
File size: 12.3 KB ( 12580 bytes )
MD5 hash: e294048a59d597575096532c741cd4e0
Detection ratio: 6 / 55
First submission: 2014-08-28 19:05:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/9c97994a67d709e87b1f3158ed54dc6250656705cce4139cce3e169849bef533/analysis/

PDF EXPLOIT:

File name: 2014-08-28-Nuclear-EK-pdf-exploit.pdf
File size: 9.4 KB ( 9604 bytes )
MD5 hash: 041b768326fdf5628f99e0195e383126
Detection ratio: 3 / 55
First submission: 2014-08-29 01:39:05 UTC
VirusTotal link: https://www.virustotal.com/en/file/a04f368adeb41929657f6716f1f87d452cb9bf00b50a9d8ba18a5380d1794beb/analysis/

MALWARE PAYLOAD:

File name: 2014-08-28-Nuclear-EK-malware-payload.exe
File size: 120.0 KB ( 122880 bytes )
MD5 hash: 4df1855c166b868ccf56c161c1d4aeff
Detection ratio: 3 / 55
First submission: 2014-08-29 00:31:55 UTC
VirusTotal link: https://www.virustotal.com/en/file/f58c180c08be9217afa8cb98720e888059842ea661974e356eb46e0c6e21d588/analysis/

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

2014-08-28 23:35:05 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (sid:2019078)
2014-08-28 23:35:08 UTC - 172.16.165.133:49186 - 80.85.85.71:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
2014-08-28 23:35:08 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
2014-08-28 23:35:08 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)
2014-08-28 23:35:19 UTC - 172.16.165.133:49186 - 80.85.85.71:80 - ET CURRENT_EVENTS Nuclear EK PDF URI Struct (sid:2017636)
2014-08-28 23:35:19 UTC - 172.16.165.133:49193 - 80.85.85.71:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (sid:2017774)
2014-08-28 23:35:19 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client (sid:2013960)
2014-08-28 23:35:19 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
2014-08-28 23:35:21 UTC - 172.16.165.133:49195 - 80.85.85.71:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
2014-08-28 23:35:21 UTC - 80.85.85.71:80 - 172.16.165.133:49194 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
2014-08-28 23:35:21 UTC - 80.85.85.71:80 - 172.16.165.133:49194 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)
2014-08-28 23:35:25 UTC - 111.121.193.238:443 - 172.16.165.133:49194 - ETPRO TROJAN Win32/Tofsee Loader Config Download (sid:2808577)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7.6:

2014-08-28 23:35:06 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - [1:31734:1] EXPLOIT-KIT Nuclear exploit kit landing page detection
2014-08-28 23:35:06 UTC - 108.174.144.149 - 172.16.165.133 - [139:1:1] (spp_sdf) SDF Combination Alert (x3)
2014-08-28 23:35:08 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - [1:11192:16] FILE-EXECUTABLE download of executable content (x2)
2014-08-28 23:35:08 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x2)
2014-08-28 23:35:08 UTC - 80.85.85.71:80 - 172.16.165.133:49186 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x2)
2014-08-28 23:35:21 UTC - 172.16.165.133:various - 80.85.85.71:80 - [1:30219:3] EXPLOIT-KIT Nuclear exploit kit outbound jar request (x2)
2014-08-28 23:35:21 UTC - 80.85.85.71:80 - 172.16.165.133:various - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt (x2)

FINAL NOTES

Once again, here are the associated files:

ZIP of the pcap(s): 2014-08-28-Nuclear-EK-traffic.pcap.zip
ZIP file of the malware: 2014-08-28-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.