2016-02-15 - NUCLEAR EK FROM 198.199.124.127 SENDS VAWTRAK

PCAP AND MALWARE:

• ZIP archive of the above two PCAPs:  2016-02-15-Nuclear-EK-both-runs.zip  974.4 kB (974,353 bytes)
• ZIP archive of the malware and artifacts:  2016-02-15-Nuclear-EK-malware-and-artifacts.zip  382.6 kB (382,633 bytes)

 

CHAIN OF EVENTS

START TIMES FOR THE TRAFFIC:

• First run start time:  2016-02-15 22:29 UTC
• Second run start time:  2016-02-15 22:33 UTC

 

ASSOCIATED DOMAINS:

• shaterabbas.ca - Compromised
• 83.220.175.111 port 80 - myserviceglobal.info - Gate/redirect
• 198.199.124.127 port 80 - drochforbro.info - Nuclear EK
• 91.229.79.91 port 80 - selectprogfile.info - Vawtrak post-infection traffic
• 95.213.139.116 port 80 - 95.213.139.116 - Vawtrak post-infection traffic

 

IMAGES

Shown above:  Pcap from the first run, filtered in Wireshark (Nuclear EK, but no payload).

 

Shown above:  Pcap from the second run, filtered in Wireshark (Nuclear EK sent Vawtrak payload).

 

Shown above:  Injected script in page from the compromised website.

 

Shown above:  Alerts from Sguil on Security Onion using Suricata with the Emerging Threats ruleset.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above two PCAPs:  2016-02-15-Nuclear-EK-both-runs.zip  974.4 kB (974,353 bytes)
• ZIP archive of the malware and artifacts:  2016-02-15-Nuclear-EK-malware-and-artifacts.zip  382.6 kB (382,633 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.