Note:

  • Thanks to Francis Trudeau for access to his lab

This sample was pulled from Threatglass.com: http://threatglass.com/malicious_urls/ncef-org-np

Compromised Domain and Infection Chain
  • 2015-03-11 18:44:00 UTC - 184.171.254.44 - ncef.org.np - GET /
  • 2015-03-11 18:44:02 UTC - 184.171.254.44 - ncef.org.np - GET /images/gallery/thumbs/social-buttons.php
Nuclear EK
  • 2015-03-11 18:44:05 UTC - 108.61.166.110 - charlottmehrmann.cf - GET /VlMEXUwDW00D.html
  • 2015-03-11 18:44:06 UTC - 108.61.166.110 - charlottmehrmann.cf - GET /AEpHGQNTUAlOU1oZA0tUBABVAQtbVlECS1MEHFECB0xTUAcZXQNOBV0A
  • 2015-03-11 18:44:09 UTC - 108.61.166.110 - charlottmehrmann.cf - GET /A1tbAEwBAgIKHlNdTgYZAQZRBwJbW1EGBxkGBk0DAVdMVAcCSwgBHwROGgEGS1ANW1o5RQ
  • 2015-03-11 18:44:10 UTC - 108.61.166.110 - charlottmehrmann.cf - GET /A1tbAEwBAgIKHlNdTgYZAQZRBwJbW1EGBxkGBk0DAVdMVAcCSwgBHwROLwcOZ0EZAg
  • 2015-03-11 18:44:16 UTC - 108.61.166.110 - charlottmehrmann.cf - GET /A1tbAEwBAgIKHlNdTgYZAQZRBwJbW1EGBxkGBk0DAVdMVAcCSwgBHwRODwoCY1AZAg
Post-Infection Traffic
  • 2015-03-11 18:44:33 UTC - 85.65.55.219 - 85.65.55.219 - GET /kernel1.exe
  • 2015-03-11 18:44:33 UTC - 31.170.158.55 - 31.170.158.55 - GET /kernel1.exe
IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-03-11-18:44:05 UTC 108.61.166.110:80 -> 192.168.43.10:1090 - ET CURRENT EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2
2015-03-11-18:44:06 UTC 108.61.166.110:80 -> 192.168.43.10:1092 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-03-11-18:44:06 UTC 108.61.166.110:80 -> 192.168.43.10:1092 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF
2015-03-11-18:44:06 UTC 108.61.166.110:80 -> 192.168.43.10:1092 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-03-11-18:44:06 UTC 108.61.166.110:80 -> 192.168.43.10:1090 - ET CURRENT EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2
2015-03-11-18:44:10 UTC 108.61.166.110:80 -> 192.168.43.10:1092 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-03-11-18:44:16 UTC 108.61.166.110:80 -> 192.168.43.10:1092 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-03-11-18:44:33 UTC 192.168.43.10:1100 -> 85.65.55.219:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
2015-03-11-18:44:34 UTC 85.65.55.219:80 -> 192.168.43.10:1100 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
2015-03-11-18:45:48 UTC 192.168.43.10:1109 -> 31.170.158.55:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure

The post Nuclear payload kernel1.exe was ran in a lab, which produced the following IDS signatures from the Emerging Threats Pro Ruleset
2015-03-22-16:41:34 UTC 10.10.10.103:49197 -> 5.248.178.75:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:46:42 UTC 10.10.10.103:49196 -> 159.224.113.44:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:43:34 UTC 10.10.10.103:49205 -> 81.31.178.163:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:48:42 UTC 10.10.10.103:49212 -> 121.53.115.50:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:46:42 UTC 10.10.10.103:49204 -> 37.19.175.154:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:50:42 UTC 10.10.10.103:49237 -> 94.244.56.32:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:48:42 UTC 10.10.10.103:49228 -> 176.241.137.178:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin
2015-03-22-16:48:42 UTC 10.10.10.103:49220 -> 176.117.90.62:80 - ETPRO TROJAN Win32/Kryptik.BLYP Checkin

Memory Analysis on Victim Machine

Following the SANS Memory Forensics methodology and using the Volatility framework, the final payload was able to be pulled from memory for further analysis. First, pslist was ran to identify any rogue processes. Immediately, go.exe jumps out as an unusual process. Taking note of its PID, we can go from here to keep investigating it.
With the PID (1964) we can look to see what network activity is associated with it by using the netscan plugin. Note: the IP addresses here are included in the IDS alerts from above.
Finally, this process can be dumped out for further analysis by invoking the procexedump plugin, leading us to Kelihos!

Preliminary Malware Analysis

Flash Exploit

Nuclear EK Payload

Secondary Malware

Kelihos Malware extracted from Memory

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates