2015-01-23 - NUCLEAR EK PUSHES VAWTRAK/NEVERQUEST

ASSOCIATED FILES:

• ZIP of the pcap:  2015-01-23-Nuclear-EK-and-vawtrak-traffic.pcap.zip
• ZIP of the malware:  2015-01-23-Nuclear-EK-and-vawtrak-malware.zip

 

NOTES:

• The compromised website, camhogger.com, has been kicking off Sweet Orange EK traffic from 2014-01-31 to 2015-01-20 (see Threatglass entries here).
• When I checked it on Friday, 2015-01-23, camhogger.com kicked off a Nuclear EK infection.
• This traffic has the same post-infection Vawtrak/NeverQuest traffic noted during a Neutrino EK infection 3 days later on Monday, 2015-01-26.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 96.44.135.89 - camhogger.com - Compromised website
• 188.226.180.82 - instanthold.gq - Nuclear EK
• 178.208.85.37 - cpucloc.com - Vawtrak/Neverquest post-infection traffic
• 50.7.240.10 - 50.7.240.10 - Vawtrak/Neverquest post-infection traffic over port 8080

 

COMPROMISED WEBSITE:

• 2015-01-23 23:34:15 UTC - camhogger.com - GET / HTTP/1.1

 

NUCLEAR EK:

• 2015-01-23 23:34:18 UTC - instanthold.gq - GET /BwoGUUkBTg4eAQNV.html
• 2015-01-23 23:34:19 UTC - instanthold.gq - GET /AEsSTlcLVlUeAE9dT1MGBwACA1QDB1VPUQUbCxwDVR0HVk8EXgc
• 2015-01-23 23:34:20 UTC - instanthold.gq - GET /A1oOV0lQC1IBTwAZCx4DAQAABlcFA1EDHgECHAsYVwQdUQAeB0l2Z1ozfw
• 2015-01-23 23:34:22 UTC - instanthold.gq - GET /A1oOV0lQC1IBTwAZCx4DAQAABlcFA1EDHgECHAsYVwQdUQAeB0lxXVgIQnguT1A
• 2015-01-23 23:34:24 UTC - instanthold.gq - GET /AEsSTlcLVlUeAE9dT1MGBwACA1QDB1VPUQUbCxwDVR0HVk8RW1lEV0Q
• 2015-01-23 23:34:25 UTC - instanthold.gq - GET /A1oOV0lQC1IBTwAZCx4DAQAABlcFA1EDHgECHAsYVwQdUQAeCkl2Z1ozfw
• 2015-01-23 23:34:27 UTC - instanthold.gq - GET /A1oOV0lQC1IBTwAZCx4DAQAABlcFA1EDHgECHAsYVwQdUQAeCklxXVgIQnguT1A

 

VAWTRAK/NEVERQUEST POST-INFECTION TRAFFIC:

• 2015-01-23 23:34:25 UTC - cpucloc.com - POST /collection/0000004E/00/4EDA9302
• 2015-01-23 23:34:26 UTC - cpucloc.com - POST /collection/0000004E/02/4EDA9302
• 2015-01-23 23:34:26 UTC - 50.7.240.10 port 8080 - Non-ASCII traffic
• 2015-01-23 23:34:26 UTC - cpucloc.com - POST /collection/0000004E/02/4EDA9302
• 2015-01-23 23:44:26 UTC - cpucloc.com - POST /collection/0000004E/00/4EDA9302

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-23-Nuclear-EK-flash-exploit.swf
File size:  23.0 KB ( 23595 bytes )
MD5 hash:  3c89d96da3872d873e146d6ef813e39d
Detection ratio:  15 / 55
First submission:  2015-01-19 18:42:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97e4044a12e7abc3433f4349a1e33277082b6020438726b92bf00afa1501afdf/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-01-23-Nuclear-EK-silverlight-exploit.xap
File size:  17.4 KB ( 17841 bytes )
MD5 hash:  db4e34961e2e6aa7853aa0c9a1d6b626
Detection ratio:  7 / 51
First submission:  2015-01-23 21:10:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a81f23a1013fb2c9207de36195a41cace3b5874e8d8eff1c5129f0a1ec77b684/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-23-Nuclear-EK-malware-payload.exe
File size:  488.0 KB ( 499712 bytes )
MD5 hash:  51d78ac4ff683967f79cf5bdcee05426
Detection ratio:  16 / 57
First submission:  2015-01-26 21:38:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5c19aec7c236f5de2b921a02dd4049af4110152c531390b4267297dae402f740/analysis/

 

DROPPED MALWARE:

File name:  C:\ProgramData\JiceNfoju\YixoHosak.zsw
File size:  284.0 KB ( 290816 bytes )
MD5 hash:  3f62b465eb4fef45664ef387513c97cc
Detection ratio:  9 / 57
First submission:  2015-01-26 21:39:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/70c76f8111374f78081b6ca6472c43623b14c1b5e97d4a46f90cd76bff25f8c9/analysis/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-01-23-Nuclear-EK-and-vawtrak-traffic.pcap.zip
• ZIP of the malware:  2015-01-23-Nuclear-EK-and-vawtrak-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.