2014-09-21 - NUCLEAR EK FROM 176.58.112.200 - AGELPIROSTAN.NEMISSA.INFO

ASSOCIATED FILES:

• ZIP of the pcap:  2014-09-21-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-21-Nuclear-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 194.110.243.156 - www.cairnsmhor.com - Compromised website
• 178.62.26.47 - gisigalor.micropakltd.co.uk - Redirect (gate)
• 176.58.112.200 - agelpirostan.nemissa.info - Nuclear EK
• 209.99.40.220 - domainsfullkolls.biz - Looks like a Fiesta EK URL
• various IP addresses - Post-infection traffic related to Win32/Tofsee

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 21:11:49 UTC - 192.168.204.130:49631 194.110.243.156:80 - www.cairnsmhor.com - GET /
• 21:11:50 UTC - 192.168.204.130:49633 194.110.243.156:80 - www.cairnsmhor.com - GET /wp-content/themes/Thistle/js/jquery.js
• 21:11:51 UTC - 192.168.204.130:49637 178.62.26.47:80 - gisigalor.micropakltd.co.uk - GET /liroslow16.html

 

NUCLEAR EK:

• 21:11:51 UTC - 192.168.204.130:49638 176.58.112.200:80 - agelpirostan.nemissa.info - GET /9e1ea234k1z9wj/1/9ffbf35e4190fbba62f70c8477fa3964.html
• 21:11:54 UTC - 192.168.204.130:49638 176.58.112.200:80 - agelpirostan.nemissa.info - GET /1442113310/2/1411333920.xap
• 21:11:55 UTC - 192.168.204.130:49638 176.58.112.200:80 - agelpirostan.nemissa.info - GET /f/2/1411333920/1442113310/8
• 21:11:57 UTC - 192.168.204.130:49638 176.58.112.200:80 - agelpirostan.nemissa.info - GET /1442113310/2/1411333920.swf
• 21:12:20 UTC - 192.168.204.130:49640 176.58.112.200:80 - agelpirostan.nemissa.info - GET /f/2/1411333920/1442113310/7
• 21:12:25 UTC - 192.168.204.130:49640 176.58.112.200:80 - agelpirostan.nemissa.info - GET /1442113310/2/1411333920.pdf
• 21:12:26 UTC - 192.168.204.130:49641 176.58.112.200:80 - agelpirostan.nemissa.info - GET /1442113310/2/1411333920.htm
• 21:12:30 UTC - 192.168.204.130:49641 176.58.112.200:80 - agelpirostan.nemissa.info - GET /f/2/1411333920/1442113310/5/x0090407000700080150050f030
  4045106565601;1;5

 

TRAFFIC TO OTHER DOMAINS - POSSIBLY RELATED TO THE NUCLEAR EK:

• 21:12:34 UTC - 192.168.204.130:49642 209.99.40.220:80 - domainsfullkolls.biz - GET /zxj3iyd/?53977811ecb7cf6b504b5c0c0603000203020e0c035a010a0001
  0a55045c5204;2;5
• 21:13:11 UTC - 192.168.204.130:49643 194.110.243.156:80 - www.cairnsmhor.com - GET /1442113310/2/1411333920.jar
• 21:13:30 UTC - 192.168.204.130:49647 194.110.243.156:80 - www.cairnsmhor.com - GET /1442113310/2/1411333920.jar
• 21:13:35 UTC - 192.168.204.130:49649 194.110.243.156:80 - www.cairnsmhor.com - GET /1442113310/2/1411333920.jar
• 21:13:36 UTC - 192.168.204.130:49650 194.110.243.156:80 - www.cairnsmhor.com - GET /1442113310/2/1411333920.jar
• 21:13:38 UTC - 192.168.204.130:49652 194.110.243.156:80 - www.cairnsmhor.com - GET /Mikado/class.class

 

POST-INFECTION TRAFFIC TRAFFIC:

• 21:13:14 UTC - 192.168.204.130:49646 111.121.193.238:443 - Win32/Tofsee Loader Config Download
• 21:13:46 UTC - 192.168.204.130:49653 91.218.212.62:37143 - post-infection traffic
• 21:13:52 UTC - 192.168.204.130:49654 174.127.73.5:5143 - post-infection traffic
• 21:13:52 UTC - 192.168.204.130:49655 67.213.213.26:5143 - post-infection traffic
• 21:13:52 UTC - 192.168.204.130:49656 77.120.103.26:5143 - post-infection traffic
• 21:14:22 UTC - 192.168.204.130:49693 91.218.212.62:37143 - post-infection traffic
• 21:14:55 UTC - 192.168.204.130:49711 91.218.212.62:37143 - post-infection traffic
• Several TCP connections with mail servers to send spam (not included in the pcap)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-21-Nuclear-EK-flash-exploit.swf
File size:  5.7 KB ( 5843 bytes )
MD5 hash:  c6309f9e43541b75295f207d57556a97
Detection ratio:  2 / 55
First submission:  2014-09-18 19:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/32698be0ba9e3258bc0eaafb18f462dfb709c36a8ac080c8d4fb5d7b3e96afd4/analysis/

 

PDF EXPLOIT

File name:  2014-09-21-Nuclear-EK-pdf-exploit.pdf
File size:  9.4 KB ( 9592 bytes )
MD5 hash:  4e38c6e3e815d9fb489a6dd3c1b8c559
Detection ratio:  2 / 55
First submission:  2014-09-21 21:52:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f5defd437a56dd0efa519c253827934ffd8b59925e8d1517b591da8409a6632/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-21-Nuclear-EK-silverlight-exploit.xap
File size:  7.6 KB ( 7739 bytes )
MD5 hash:  ab49ec00726f1715f19ada50e50ce391
Detection ratio:  2 / 55
First submission:  2014-09-21 21:52:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92c17d53aee6816a3caa7379bf972e3071996ce41e77ad284269a579ce2851ee/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-21-Nuclear-EK-malware-payload.exe
File size:  176.0 KB ( 180224 bytes )
MD5 hash:  ab8d3d76d16b694e5e6ad29df67a9522
Detection ratio:  4 / 55
First submission:  2014-09-21 21:53:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b5ab9fae39999ca8f07c9a8cd42130b1ac6b062927cb28fbad985758bda6bc52/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-21 21:11:52 UTC - 176.58.112.200:80 - 192.168.204.130:49638 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (sid:2019078)
• 2014-09-21 21:11:54 UTC - 192.168.204.130:49638 - 176.58.112.200:80 - ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct (sid:2019167)
• 2014-09-21 21:11:54 UTC - 192.168.204.130:49638 - 176.58.112.200:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
• 2014-09-21 21:11:55 UTC - 192.168.204.130:49638 - 176.58.112.200:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-09-21 21:11:55 UTC - 176.58.112.200:80 - 192.168.204.130:49638 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
• 2014-09-21 21:11:57 UTC - 176.58.112.200:80 - 192.168.204.130:49638 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
• 2014-09-21 21:12:25 UTC - 192.168.204.130:49640 - 176.58.112.200:80 - ET CURRENT_EVENTS Nuclear EK PDF URI Struct (sid:2017636)
• 2014-09-21 21:12:26 UTC - 192.168.204.130:49641 - 176.58.112.200:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014 (sid:2019189)
• 2014-09-21 21:12:26 UTC - 192.168.204.130:49641 - 176.58.112.200:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (sid:2017774)
• 2014-09-21 21:12:26 UTC - 176.58.112.200:80 - 192.168.204.130:49640 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client (sid:2013960)
• 2014-09-21 21:12:26 UTC - 176.58.112.200:80 - 192.168.204.130:49640 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
• 2014-09-21 21:12:34 UTC - 192.168.204.130:49642 - 209.99.40.220:80 - ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded (sid:2013098)
• 2014-09-21 21:12:34 UTC - 192.168.204.130:49642 - 209.99.40.220:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex (sid:2013094)
• 2014-09-21 21:12:34 UTC - 192.168.204.130:49642 - 209.99.40.220:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-09-21 21:13:11 UTC - 192.168.204.130:49643 - 194.110.243.156:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-09-21 21:13:15 UTC - 111.121.193.238:443 - 192.168.204.130:49646 - ETPRO TROJAN Win32/Tofsee Loader Config Download (sid:2808577)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

• 2014-09-21 21:11:53.423387 176.58.112.200:80 - 192.168.204.130:49638 - [1:31734:2] EXPLOIT-KIT Nuclear exploit kit landing page detection
• 2014-09-21 21:11:55.693487 176.58.112.200:80 - 192.168.204.130:various - [1:11192:16] FILE-EXECUTABLE download of executable content (x3)
• 2014-09-21 21:11:55.693487 176.58.112.200:80 - 192.168.204.130:various - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
• 2014-09-21 21:11:55.693487 176.58.112.200:80 - 192.168.204.130:various - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x3)
• 2014-09-21 21:11:55.693487 176.58.112.200:80 - 192.168.204.130:various - [1:22002:5] FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected (x3)
• 2014-09-21 21:12:32.043556 176.58.112.200:80 - 192.168.204.130:49641 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
• 2014-09-21 21:12:34.384588 192.168.204.130:49642 - 209.99.40.220:80 - [1:29443:7] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-09-21 21:13:11.390727 192.168.204.130:various - 194.110.243.156:80 - [1:30219:3] EXPLOIT-KIT Nuclear exploit kit outbound jar request

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in file from compromised website:

 

Redirect pointing to Nuclear EK landing page:

 

Example of the spam traffic sent by the infected host (not included in the pcap):

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-09-21-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-09-21-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.