2015-10-30 - NUCLEAR EK FROM 188.166.65.14

ASSOCIATED FILES:

• ZIP file of the PCAP:  2015-10-30-Nuclear-EK-traffic.pcap.zip   2.0 MB (1,982,829 bytes)
• ZIP file of the malware:  2015-10-30-Nuclear-EK-malware-and-artifacts.zip   1.4 MB (1,403,970 bytes)

 

CHAIN OF EVENTS

Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

• 104.28.28.185 port 80 - gasfiliera.it - Compromised website
• 188.166.65.14 port 80 - yjlvh61dby62cvao5.ml - Nuclear EK
• 77.122.234.122 port 80 - 77.122.234.122 - Post-infection traffic - GET /harsh02.exe
• 188.2.225.220 port 80 - 188.2.225.220 - Post-infection traffic - GET /welcome.htm - GET /home.htm
• 130.180.212.70 port 80 - 130.180.212.70 - Post-infection traffic - GET /online.htm
• 106.242.117.85 port 80 - 106.242.117.85 - Post-infection traffic - GET /setup.htm
• 46.118.178.14 port 80 - 46.118.178.14 - Post-infection traffic - GET /file.htm - GET /install.htm
• 186.115.146.227 port 80 - 186.115.146.227 - Post-infection traffic - GET /index.htm - GET /file.htm

 

IMAGES FROM THE TRAFFIC

Shown above:  Injected script in page from the compromised website.

 

Shown above:  HTTP requests during the traffic.

 

Shown above:  Filtering the traffic in Wireshark, you'll find more than 150 IP addresses the infected host reached out to.

 

Shown above:  Post-infection traffic also shows DNS queries to unusual IP addresses.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP file of the above PCAP:  2015-10-30-Nuclear-EK-traffic.pcap.zip   2.0 MB (1,982,829 bytes)
• ZIP file of the malware:  2015-10-30-Nuclear-EK-malware-and-artifacts.zip   1.4 MB (1,403,970 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.