Notes
  • Edited 2015-07-17 after a mistake on my part which was pointed out by @malware_traffic -- Thanks!!
  • Another one from Threatglass
  • Nuclear EK Payload XOR'd with key 'okcBx', or hex 6f 6b 63 42 78
PCAP and Malware
Compromised Domain and Redirect

2015-07-12 04:57:41 UTC - 218.93.127.106 - aguo.com - GET /
2015-07-12 04:57:41 UTC - 218.93.127.106 - www.aguo.com - GET /
2015-07-12 04:57:41 UTC - 218.93.127.106 - www.aguo.com - GET /source/js/tongji.js
2015-07-12 04:57:42 UTC - 188.130.7.122 - 76vkxc06y4844nos1iaxthj.ganeshaubud.com - GET /index.php?l=anM9MSZlb3pjaXZiPXlzJnRpbWU9MTUwNzEyMDQ1MjIzMDgxODE5NzUmc3JjPTM0JnN1cmw9d3d3LmFndW8uY29tJnNwb3J0PTgwJmtleT1GMzMxM0UwOSZzdXJpPS9zb3VyY2UvanMvdG9uZ2ppLmpz
2015-07-12 04:57:45 UTC - 188.130.7.122 - 76vkxc06y4844nos1iaxthj.ganeshaubud.com - GET /watch.php?fwzlp=MTAzNDU5ZDRkNTQ5NTRhZjQ0MGViOWI1MDZkMWE3ZDlh

Nuclear EK Traffic

2015-07-12 04:57:46 UTC - 188.130.7.122 - wnir20g5zo7939d22uu2off.ganeshaubud.com - GET /SA5WTgcYRVldQABUVQJOXQVdAQ5QAAARRwVbVFRKVVZaV0EMU0JWR1ZKUVhZ.html
2015-07-12 04:57:46 UTC - 188.130.7.122 - wnir20g5zo7939d22uu2off.ganeshaubud.com - GET /V09ETkhdUEsBTgYYRVldQABUVQJOXQVdAQ5QAAARRwVbVFRKVVZaV0EMU0JWR1ZKUVhZTgRQHAUHBxxVBwIaCgIYAwMHBARTBQcCBE4CXgQ
2015-07-12 04:57:49 UTC - 188.130.7.122 - wnir20g5zo7939d22uu2off.ganeshaubud.com - GET /VF5YV04eC1VIB05QTkBaW0BWAlABSF1TCwQNVgBWR0IGXVQCHFBVXFcXWlZBUEcAHFRbX05SBhkGAQdKAwIBHApUTgYAAQRSBQAEBAQYB0tbWVEmSksF
2015-07-12 04:57:50 UTC - 188.130.7.122 - wnir20g5zo7939d22uu2off.ganeshaubud.com - GET /favicon.ico

Post-Infection Glupteba Traffic

2015-07-12 04:58:36 UTC - 81.255.83.139 - 81.255.83.139 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0001397A&statpass=bpass&version=21150710&features=30&guid=d551d6cc-dd05-4163-b356-7eb44b86d631&comment=21150710&p=0&s=
2015-07-12 04:59:22 UTC - 173.194.113.81 - www.google.com - GET /robots.txt
2015-07-12 04:59:41 UTC - 108.163.245.234 - 108.163.245.234 - GET /stat?uid=100&downlink=1111&uplink=1111&id=000238AA&statpass=bpass&version=21150710&features=30&guid=d551d6cc-dd05-4163-b356-7eb44b86d631&comment=21150710&p=1&s=108.163.245.234:49053,184.154.142.226:13208,96.127.156.130:49721

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-07-12 04:57:43 UTC - 192.168.58.10:1044 -> 188.130.7.122:80 - ET CURRENT EVENTS Cushion Redirection
2015-07-12 04:57:46 UTC - 192.168.58.10:1045 -> 188.130.7.122:80 - ET CURRENT EVENTS Possible Nuclear EK Landing URI Struct T1
2015-07-12 04:57:46 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M1
2015-07-12 04:57:46 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-07-12 04:57:46 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ETPRO CURRENT EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
2015-07-12 04:57:47 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ETPRO CURRENT EVENTS Nuclear EK Landing April 30 2015 M4
2015-07-12 04:57:47 UTC - 192.168.58.10:1045 -> 188.130.7.122:80 - ET CURRENT EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015
2015-07-12 04:57:47 UTC - 192.168.58.10:1045 -> 188.130.7.122:80 - ET POLICY Outdated Windows Flash Version IE
2015-07-12 04:57:47 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-07-12 04:57:49 UTC - 192.168.58.10:1046 -> 188.130.7.122:80 - ET CURRENT EVENTS Angler EK Payload DL M2 Feb 06 2015
2015-07-12 04:57:50 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-07-12 04:57:50 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-07-12 04:57:50 UTC - 188.130.7.122:80 -> 192.168.58.10:1045 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-07-12 04:58:36 UTC - 192.168.58.10:1052 -> 81.255.83.139:53872 - ET TROJAN Win32/Glupteba CnC Checkin
2015-07-12 04:59:42 UTC - 192.168.58.10:1058 -> 108.163.245.234:49053 - ET TROJAN Win32/Glupteba CnC Checkin

Preliminary Malware Analysis

Nuclear EK Flash Exploit

Nuclear EK Payload - Glupteba

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates