2014-06-22 - NUCLEAR EK FROM 5.101.140[.]53 - CROWDFUNDING.MAZATLAN-MAZTERS[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-06-22-Nuclear-EK-traffic.pcap.zip
• 2014-06-22-Nuclear-EK-malware.zip

 

CHAIN OF EVENTS

• 01:12:58 UTC - 5.101.140[.]53:80 - crowdfunding.mazatlan-mazters[.]com - GET /54659720vcxg.html
• 01:13:09 UTC - 5.101.140[.]53:80 - crowdfunding.mazatlan-mazters[.]com - GET /1066851726/3/1403378640.jar
• 01:13:10 UTC - 5.101.140[.]53:80 - crowdfunding.mazatlan-mazters[.]com - GET /f/3/1403378640/1066851726/2
• 01:13:10 UTC - 5.101.140[.]53:80 - crowdfunding.mazatlan-mazters[.]com - GET /f/3/1403378640/1066851726/2/2

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-06-22-Nuclear-EK-java-exploit.jar
File size:  12,493 bytes
MD5 hash:  0cb56ca4e9d3bd7f9ff8fe9c328cef31
Detection ratio:  1 / 53
First submission:  2014-06-22 01:25:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/19ff7f906b844d9b20f7e73ecdecf0f4600ae338d510a9a2f69244319e7047e5/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-22-Nuclear-EK-malware-payload.exe
File size:  106,320 bytes
MD5 hash:  2ad148c1efc1b9d706dc99a45e760690
Detection ratio:  1 / 53
First submission:  2014-06-22 01:25:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d64e7412f28ef90e58d4464153b19416c1e6e2568aa3e9dc2c335b89070b4eaf/analysis/

 

ALERTS

Emerging Threats and ETPRO rulesets:

• 2014-06-22 01:13:09 UTC - 5.101.140[.]53:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)

Sourcefire VRT ruleset:

• 2014-06-22 01:13:09 UTC - 5.101.140[.]53:80 - EXPLOIT-KIT Nuclear exploit kit outbound jar request (sid:30219)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - EXPLOIT-KIT Nuclear exploit kit outbound payload request (sid:30220)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• 2014-06-22 01:13:10 UTC - 5.101.140[.]53:80 - EXPLOIT-KIT Multiple exploit kit single digit exe detection (sid:28423)

NOTE: These alerts were taken from Sguil on Security Onion

 

Click here to return to the main page.