2017-03-02 - NEBULA EK SENDS DIAMONDFOX MALWARE

ASSOCIATED FILES:

  • 2017-03-02-Nebula-EK-1st-run.pcap   (1,117,128 bytes)
  • 2017-03-02-Nebula-EK-2nd-run.pcap   (425,928 bytes)
  • 2017-03-02-Nebula-EK-3rd-run.pcap   (141,828 bytes)
  • 2017-03-02-Nebula-EK-4th-run.pcap   (155,956 bytes)
  • 2017-03-02-Nebula-EK-5th-run.pcap   (216,042 bytes)
  • ZIP archive of the malware:  2017-03-02-Nebula-EK-malware-and-artifacts.zip   356 kB (356,084 bytes)
    • 2017-03-02-Nebula-EK-flash-exploit-1-of-2.swf   (45,026 bytes)
    • 2017-03-02-Nebula-EK-flash-exploit-2-of-2.swf   (21,100 bytes)
    • 2017-03-02-Nebula-EK-landing-page-1-of-2.txt   (55,002 bytes)
    • 2017-03-02-Nebula-EK-landing-page-2-of-2.txt   (33,167 bytes)
    • 2017-03-02-Nebula-EK-payload-DiamondFox.exe   (208,896 bytes)
    • 2017-03-02-page-from-hurtmehard.net-with-injected-script-1st-run.txt   (188,732 bytes)
    • 2017-03-02-page-from-hurtmehard.net-with-injected-script-2nd-run.txt   (188,851 bytes)
    • 2017-03-02-page-from-hurtmehard.net-with-injected-script-3rd-run.txt   (188,994 bytes)
    • 2017-03-02-page-from-hurtmehard.net-with-injected-script-4th-run.txt   (189,361 bytes)
    • 2017-03-02-page-from-hurtmehard.net-with-injected-script-5th-run.txt   (188,968 bytes)

    BACKGROUND ON NEBULA EK:

    OTHER NOTES:

     

    TRAFFIC


    Shown above:  An example of injected script in a page from the compromised site.

     


    Shown above:  Pcap of the infection traffic filtered in Wireshark.

     

    ASSOCIATED DOMAINS:

     

    NEBULA EK LANDING PAGE URLS:

     

    NEBULA EK FLASH EXPLOIT URLS:

     

    NEBULA EK PAYLOAD URLS:

     

    FILE HASHES

    FLASH EXPLOIT:

    PAYLOAD:

     

    IMAGES


    Shown above:  Alerts on the traffic from the ETPRO ruleset using Sguil on Security Onion.

     


    Shown above:  Malware made persistent on the infected Windows host.

     


    Shown above:  Some processes related to the infection.

     


    Shown above:  The infected┬áhost reporting keylogging data (not included in the pcaps).

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.