Malware-Traffic-Analysis.net - 2014-09-16

2014-09-16 - NUCLEAR EK FROM 80.85.87.179 - OFLATIRAS.VIDEOSDEANIMAIS.COM.BR

ASSOCIATED FILES:

ZIP of the pcap: 2014-09-16-Nuclear-EK-traffic.pcap.zip
ZIP of the malware: 2014-09-16-Nuclear-EK-malware.zip

NOTES:

Saw a URL to domainsfullkolls.biz during this infection traffic that looks like Fiesta, but the connection was RST by the server after the HTTP GET request was sent.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

66.147.244.185 - www.youniquebyshandi.com - Compromised website
178.62.244.97 - aflordi.insuit.net - Redirect (gate)
80.85.87.179 - oflatiras.videosdeanimais.com.br - Nuclear EK

COMPROMISED WEBSITE AND REDIRECT (GATE):

2014-09-16 12:54:33 UTC - 192.168.204.147:49642 - 66.147.244.185:80 - www.youniquebyshandi.com - GET /
2014-09-16 12:54:35 UTC - 192.168.204.147:49642 - 66.147.244.185:80 - www.youniquebyshandi.com - GET /wp-content/themes/Avada/js/respond.min.js
2014-09-16 12:54:37 UTC - 192.168.204.147:49650 - 178.62.244.97:80 - aflordi.insuit.net - GET /ifragigulda16.html

NUCLEAR EK:

12:54:38 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /87785928qqz/1/9ffbf35e4190fbba62f70c8477fa3964.html
12:54:40 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /413838152/2/1410872100.xap
12:54:40 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /f/2/1410872100/413838152/8
12:54:43 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /413838152/2/1410872100.swf
12:54:44 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /f/2/1410872100/413838152/7
12:54:47 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /413838152/2/1410872100.pdf
12:54:49 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /413838152/2/1410872100.htm
12:54:50 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - oflatiras.videosdeanimais.com.br - GET /f/2/1410872100/413838152/5/x0000700080150050f03040
45106565601;1;5

FIESTA EK URL THAT APPEARD DURING THE NUCLEAR EK:

12:54:53 UTC - 192.168.204.147:49677 - 107.23.255.195:80 - domainsfullkolls.biz - GET /zxj3iyd/?53977811ecb7cf6b504b5c0c0603000203020e0c035a010a000
10a55045c5204;2;5

POST-INFECTION CALLBACK TRAFFIC:

12:56:45 UTC - 192.168.204.147:49680 - 111.121.193.238:443
12:57:16 UTC - 192.168.204.147:49682 - 5.104.106.42:49674
12:57:22 UTC - 192.168.204.147:49683 - 103.15.107.118:17674
12:57:22 UTC - 192.168.204.147:49684 - 66.85.176.54:17674
12:57:22 UTC - 192.168.204.147:49685 - 188.190.114.109:17674
12:57:22 UTC - 192.168.204.147:49686 - 77.120.103.26:17674
several DNS queries to mail servers
several attempted connections for SMTP to those mail servers on TCP port 25

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name: 2014-09-16-Nuclear-EK-flash-exploit.swf
File size: 5.7 KB ( 5832 bytes )
MD5 hash: da5d57c700ebec211a6a57166700e796
Detection ratio: 1 / 55
First submission: 2014-09-15 10:38:54 UTC
VirusTotal link: https://www.virustotal.com/en/file/0c3304c65b3d9c42586ba104407c4bd0c9601eff54071fdc7c022b19a7fb69f4/analysis/

PDF EXPLOIT

File name: 2014-09-16-Nuclear-EK-pdf-exploit.pdf
File size: 9.6 KB ( 9880 bytes )
MD5 hash: dc4b3f27e564574e888a09a39775ae4e
Detection ratio: 2 / 53
First submission: 2014-09-16 13:56:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/8bfa87b410347a9bcf49ead272ee0c727febdb80f754caab8e2198acd18e8a24/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-09-16-Nuclear-EK-silverlight-exploit.xap
File size: 8.9 KB ( 9146 bytes )
MD5 hash: 9e9497ec03bc45d9cae065e7f9e9d866
Detection ratio: 3 / 55
First submission: 2014-09-16 13:57:10 UTC
VirusTotal link: https://www.virustotal.com/en/file/bf2e437e455f5697673b17eda5425ba17834d211a049dc8baccb17b93ff39aa7/analysis/

MALWARE PAYLOAD (TOFSEE)

File name: 2014-09-16-Nuclear-EK-malware-payload.exe
File size: 100.0 KB ( 102400 bytes )
MD5 hash: 652e59a91d328f504e6086efc5bd2e1d
Detection ratio: 2 / 55
First submission: 2014-09-16 13:59:17 UTC
VirusTotal link: https://www.virustotal.com/en/file/ebe842085cf7430a1a523612603481b9e757b7388bc96adbe64b7d27f0a4292c/analysis/

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

2014-09-16 12:54:38 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (sid:2019078)
2014-09-16 12:54:40 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct (sid:2019167)
2014-09-16 12:54:40 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
2014-09-16 12:54:40 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
2014-09-16 12:54:41 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
2014-09-16 12:54:43 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
2014-09-16 12:54:47 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - ET CURRENT_EVENTS Nuclear EK PDF URI Struct (sid:2017636)
2014-09-16 12:54:47 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client (sid:2013960)
2014-09-16 12:54:47 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
2014-09-16 12:54:49 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (sid:2017774)
2014-09-16 12:54:53 UTC - 192.168.204.147:49677 - 107.23.255.195:80 - ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded (sid:2013098)
2014-09-16 12:54:53 UTC - 192.168.204.147:49677 - 107.23.255.195:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex (sid:2013094)
2014-09-16 12:54:53 UTC - 192.168.204.147:49677 - 107.23.255.195:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
2014-09-16 12:56:46 UTC - 111.121.193.238:443 - 192.168.204.147:49680 - ETPRO TROJAN Win32/Tofsee Loader Config Download (sid:2808577)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

2014-09-16 12:54:38 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - [1:31734:2] EXPLOIT-KIT Nuclear exploit kit landing page detection
2014-09-16 12:54:39 UTC - 80.85.87.179 - 192.168.204.147 - [139:1:1] (spp_sdf) SDF Combination Alert
2014-09-16 12:54:41 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - [1:11192:16] FILE-EXECUTABLE download of executable content (x3)
2014-09-16 12:54:41 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
2014-09-16 12:54:41 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x3)
2014-09-16 12:54:41 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - [1:22002:5] FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected (x3)
2014-09-16 12:54:41 UTC - 80.85.87.179:80 - 192.168.204.147:49651 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x6)
2014-09-16 12:54:47 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - [138:4:1] SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
2014-09-16 12:54:49 UTC - 192.168.204.147:49651 - 80.85.87.179:80 - [1:29186:2] EXPLOIT-KIT Nuclear exploit kit outbound connection
2014-09-16 12:54:53 UTC - 192.168.204.147:49677 - 107.23.255.195:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in file from compromised website:

Redirect (gate) pointing to Nuclear EK landing page:

FINAL NOTES

Once again, here are the associated files:

ZIP of the pcap: 2014-09-16-Nuclear-EK-traffic.pcap.zip
ZIP file of the malware: 2014-09-16-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.