Notes
PCAP and Malware
Compromised Domain and Redirects

2015-04-25 23:04:49 UTC - 187.45.189.26 - omb100.com - GET /
2015-04-25 23:04:49 UTC - 187.45.189.26 - www.omb100.com - GET /
2015-04-25 23:04:50 UTC - 187.45.189.26 - www.omb100.com - GET /br

Nuclear EK Traffic

2015-04-25 23:04:53 UTC - 162.247.12.207 - yellowfrance.com - GET /wRJrUHURtdt20.html
2015-04-25 23:04:54 UTC - 95.85.29.102 - battermunre.ga - GET /AFAIA08PTQg.html
2015-04-25 23:04:55 UTC - 95.85.29.102 - battermunre.ga - GET /undefined.html
2015-04-25 23:04:57 UTC - 95.85.29.102 - battermunre.ga - GET /XBpITQoEAQtJDUoIHgkFAAYBCQYEAgkeDgUdBAIMGwUDDEwAAU9QXQs
2015-04-25 23:05:01 UTC - 95.85.29.102 - battermunre.ga - GET /XwtUVE8PAwkHSA9FU0QABwUBCQUHBg1SRAcHGAMKABoHDFcWCQNKBEV3eGFYO1k

Post-Infection Traffic

2015-04-25 23:05:07 UTC - 162.247.14.186 - 162.247.14.186 - POST /new_advert/afetwesgsdg.php
2015-04-25 23:05:07 UTC - 162.247.14.185 - 162.247.14.185 - GET /ppc3/ppc3.exe
2015-04-25 23:05:07 UTC - 162.247.14.185 - 162.247.14.185 - GET /simb/syppc.exe
2015-04-25 23:05:08 UTC - 162.247.14.185 - 162.247.14.185 - GET /ppi/ppi.exe

Traffic Screenshots

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-04-25 23:04:57 UTC - 95.85.29.102:80 -> 192.168.32.10:1062 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF
2015-04-25 23:04:57 UTC - 95.85.29.102:80 -> 192.168.32.10:1062 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-04-25 23:05:02 UTC - 95.85.29.102:80 -> 192.168.32.10:1062 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-04-25 23:05:07 UTC - 192.168.32.10:1069 -> 162.247.14.186:80 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
2015-04-25 23:05:07 UTC - 192.168.32.10:1069 -> 162.247.14.186:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-04-25 23:05:07 UTC - 162.247.14.186:80 -> 192.168.32.10:1069 - ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK
2015-04-25 23:05:07 UTC - 192.168.32.10:1070 -> 162.247.14.185:80 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
2015-04-25 23:05:07 UTC - 192.168.32.10:1070 -> 162.247.14.185:80 - ET TROJAN Fareit/Pony Downloader Checkin 3
2015-04-25 23:05:07 UTC - 162.247.14.185:80 -> 192.168.32.10:1070 - ETPRO TROJAN Fareit/Pony Downloader .exe file download
2015-04-25 23:05:07 UTC - 192.168.32.10:1071 -> 162.247.14.185:80 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
2015-04-25 23:05:07 UTC - 192.168.32.10:1071 -> 162.247.14.185:80 - ET TROJAN Fareit/Pony Downloader Checkin 3
2015-04-25 23:05:07 UTC - 162.247.14.185:80 -> 192.168.32.10:1071 - ETPRO TROJAN Fareit/Pony Downloader .exe file download
2015-04-25 23:05:08 UTC - 192.168.32.10:1072 -> 162.247.14.185:80 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
2015-04-25 23:05:08 UTC - 192.168.32.10:1072 -> 162.247.14.185:80 - ET TROJAN Fareit/Pony Downloader Checkin 3
2015-04-25 23:05:10 UTC - 162.247.14.185:80 -> 192.168.32.10:1072 - ETPRO TROJAN Fareit/Pony Downloader .exe file download

Preliminary Malware Analysis

Nuclear EK Flash Exploit

Nuclear EK Malware Payload

syppc.exe -- Gamarue.AQ

ppc3.exe

ppi.exe

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates