2015-01-23 - WINDIGO GROUP NUCLEAR EK FROM 188.40.64.218 - N1HXFTESFM3N4333AH61XNF.AJANSHIZMETI.COM

ASSOCIATED FILES:

• ZIP of the pcap:  2015-01-23-Windigo-group-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2015-01-23-Windigo-group-Nuclear-EK-malware.zip

 

NOTES:

• For more information about Operation Windigo, ESET published a report avaialable here.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 188.40.64.218 - owtfx4nbf9gf8t5593eu3zj.ajanshizmeti.com - Redirect
• 188.40.64.218 - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - Nuclear EK

 

CUSHION REDIRECT:

• 19:45:30 UTC - owtfx4nbf9gf8t5593eu3zj.ajanshizmeti.com - GET /index.php?m=[long string of characters]
• 19:45:31 UTC - owtfx4nbf9gf8t5593eu3zj.ajanshizmeti.com - GET /viewtopic.php?t=MTI1MzU5N2FmYjQ5ODhjMjMwNTNlMDRiMGJmM2JiM2M5

 

NUCLEAR EK:

• 19:45:32 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /UQEGAEQATAA.html
• 19:45:33 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BxpDHgtSBVMdCEtTHgJWCgMABVMKB1IeBkwOAx4FTwgAVB5VDgo
• 19:45:34 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BAtfB0QCUwQDRQYeU09TDAMCAVULBFJST1cWBwIfVRcGVVRPVURUamQ2b0Il
• 19:45:37 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BAtfB0QCUwQDRQYeU09TDAMCAVULBFJST1cWBwIfVRcGVVRPVURnSmMUd0UjC3UeCg

• 19:45:40 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /UQEGAEQATAA.html
• 19:45:41 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BAtfB0QCUwQDRQYeU09TDAMCAVULBFJST1cWBwIfVRcGVVRPVURkc1AXdFYwLGk
• 19:45:43 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BAtfB0QCUwQDRQYeU09TDAMCAVULBFJST1cWBwIfVRcGVVRPVUR0UlkLVG0PCXoXRAM
• 19:45:43 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BxpDHgtSBVMdCEtTHgJWCgMABVMKB1IeBkwOAx4FTwgAVB5AC1RHVUM
• 19:45:44 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BAtfB0QCUwQDRQYeU09TDAMCAVULBFJST1cWBwIfVRcGVVRPWkRkc1AXdFYwLGk
• 19:45:45 UTC - n1hxftesfm3n4333ah61xnf.ajanshizmeti.com - GET /BAtfB0QCUwQDRQYeU09TDAMCAVULBFJST1cWBwIfVRcGVVRPWkR0UlkLVG0PCXoXRAM

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-23-Windigo-group-Nuclear-EK-flash-exploit.swf
File size:  23.0 KB ( 23595 bytes )
MD5 hash:  3c89d96da3872d873e146d6ef813e39d
Detection ratio:  2 / 57
First submission:  2015-01-19 18:42:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97e4044a12e7abc3433f4349a1e33277082b6020438726b92bf00afa1501afdf/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-01-23-Windigo-group-Nuclear-EK-silverlight-exploit.xap
File size:  17.4 KB ( 17841 bytes )
MD5 hash:  db4e34961e2e6aa7853aa0c9a1d6b626
Detection ratio:  0 / 57
First submission:  2015-01-23 21:10:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a81f23a1013fb2c9207de36195a41cace3b5874e8d8eff1c5129f0a1ec77b684/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-23-Windigo-group-Nuclear-EK-malware-payload.exe
File size:  128.1 KB ( 131206 bytes )
MD5 hash:  eb793dda85eb6783b4f1a413233c91f2
Detection ratio:  5 / 56
First submission:  2015-01-23 21:10:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bf431a5c7ebe77009288eafd6b356f92cb6f70a58a24d737cb0be422e8f369b0/analysis/
Malwr link:  https://malwr.com/analysis/ZDdhOWJjNjlhYzA0NGU2MGE2MjczM2RlZGIwNWZhNGI/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-01-23-Windigo-group-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2015-01-23-Windigo-group-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.