s225645819/malware-traffic-analysis-nuclear-ek

GitHub: s225645819/malware-traffic-analysis-nuclear-ek

Stars: 0 | Forks: 0

# Malware Traffic Analysis — Nuclear Exploit Kit Infection A network forensics investigation of a real malware infection, analyzed from a packet capture (PCAP) in **Wireshark**. This report reconstructs a drive-by-download attack in which a Windows host was compromised via the **Nuclear Exploit Kit** after visiting a legitimate-but-hacked website, and documents the full infection chain, extracted malware samples, indicators of compromise (IOCs), and MITRE ATT&CK mapping. ## Executive Summary A Windows workstation (`K34EN6W3N-PC`, `172.16.165.165`) became infected after a user browsed to a compromised website. The site silently redirected the browser through a gate to a Nuclear Exploit Kit server, which fired **Flash and Java exploits** against the victim's outdated browser plugins. Exploitation succeeded and the kit delivered an **obfuscated Windows executable (~401 KB)** disguised as an MP3 request. The full chain was reconstructed from HTTP traffic, and all three malicious files (payload + two exploits) were extracted and hashed. ## Victim Host Identification | Attribute | Value | How it was found | |---|---|---| | IP address | `172.16.165.165` | `Statistics → Conversations → IPv4` — busiest internal host, fanning out to many external IPs | | MAC address | `f0:19:af:02:9b:f1` | Ethernet conversation (3,000 pkts / 2 MB) + Ethernet II layer | | Host name | `K34EN6W3N-PC` | NBNS traffic (`nbns` filter) — "Refresh NB K34EN6W3N-PC" |

IPv4 Conversations showing 172.16.165.165 as the busy internal host

NBNS traffic revealing the hostname K34EN6W3N-PC

## The Infection Chain The attack unfolded across four stages, reconstructed using the `http.request` display filter and `File → Export Objects → HTTP`: 1. Compromised site → ciniholland.nl (legitimate Dutch site, hacked) 2. Redirect / gate → 24corp-shop.com (silent redirect to the EK) 3. Exploit Kit → stand.trustandprobaterealty.com (Nuclear EK landing + exploits) 4. Payload delivery → obfuscated .exe (~401 KB) (disguised as an "mp3" request)

http.request filter showing the full infection chain across domains

**Stage 1 — Compromised website (`ciniholland.nl`).** The user browsed to this legitimate website. Normal page assets (`wp-content/...`, CSS, JS, images) confirm it is a WordPress site that had been compromised to redirect visitors. **Stage 2 — Redirect gate (`24corp-shop.com`).** The compromised page quietly redirected the browser here (`/notfound.gif` and related requests), which forwarded the victim on to the exploit kit. **Stage 3 — Nuclear Exploit Kit (`stand.trustandprobaterealty.com`).** The hallmark of the kit is its URL structure. Requests followed the pattern `index.php?req=&num=&PHPSSESID=`, serving exploits by type: - `req=swf` → Adobe Flash exploit (`application/x-shockwave-flash`) - `req=jar` → Java exploit (`application/java-archive`) - `req=mp3` → the malware payload (`application/x-msdownload`, disguised by the "mp3" label) The victim's outbound request advertised `x-flash-version: 11,2,2...`, indicating the vulnerable Flash plugin the kit targeted. **Stage 4 — Payload delivery.** The kit delivered a ~401 KB Windows executable three times (`num=16`, `num=95`, `num=803295`) over HTTP. The file is obfuscated in transit (does not present a clean PE header on the wire), a common EK technique to evade network detection; the browser exploit decodes it on execution. ## Extracted Artifacts & IOCs All three malicious files were carved from the PCAP via `Export Objects → HTTP` and hashed offline. **No file was executed.**

Wireshark Export Objects showing the payload and exploit files from the EK server

### Network IOCs | Indicator | Type | Role | |---|---|---| | `ciniholland.nl` | Domain | Compromised website (entry point) | | `24corp-shop.com` | Domain | Redirect gate | | `stand.trustandprobaterealty.com` | Domain | Nuclear EK server | | `82.150.140.30` | IP | Compromised site | | `188.225.73.100` | IP | Redirect gate | | `37.200.69.143` | IP | Nuclear EK server | ### File IOCs **Malware payload** — Windows executable, ~401 KB, obfuscated in transit - MD5: `d276c86dcdbcdb6b74ee02496bc90d98` - SHA1: `640cba2ecde8af90b9f87a51f2fa59c7c8dfa8fc` - SHA256: `ce5d1c41f6ca739f6c69f175a8f688334df2ea4d2e0fb5e3243ae01efd251e81` **Flash exploit** — `Macromedia Flash data (compressed), version 22`, 8,227 bytes - MD5: `7b3baa7d6bb3720f369219789e38d6ab` - SHA256: `e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5d3aebc0747` **Java exploit** — `Java archive (JAR)`, 10,606 bytes - MD5: `1e34fdebbf655cebea78b45e43520ddf` - SHA256: `178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684da0b44190d3` ## MITRE ATT&CK Mapping | Technique | ID | Evidence | |---|---|---| | Drive-by Compromise | **T1189** | User infected by visiting a compromised website (`ciniholland.nl`) | | Exploitation for Client Execution | **T1203** | Flash (`.swf`) and Java (`.jar`) exploits served by the EK | | Ingress Tool Transfer | **T1105** | ~401 KB executable downloaded over HTTP from the EK server | | Obfuscated Files or Information | **T1027** | Payload obfuscated in transit (no clean PE header on the wire) | ## Analysis Workflow (Wireshark) The investigation followed a repeatable analyst loop: 1. **Identify the victim** — `Statistics → Conversations` (IPv4) to find the busy internal host. 2. **Get host identity** — Ethernet layer for MAC, `nbns` / `dhcp` filters for hostname. 3. **Trace web activity** — `http.request` filter to see every request in chronological order. 4. **Follow the chain** — read the Host + URI columns to separate compromised site → gate → EK. 5. **Extract files** — `File → Export Objects → HTTP` to carve the payload and exploits. 6. **Hash for IOCs** — compute MD5/SHA256 offline; never execute the sample. Hashes were generated on Windows with PowerShell's `Get-FileHash`: foreach ($f in "nuclear_payload.exe.mal","nuclear_flash_exploit.swf.mal","nuclear_java_exploit.jar.mal") { "MD5","SHA1","SHA256" | ForEach-Object { Get-FileHash -Algorithm $_ ".\$f" } }

PowerShell Get-FileHash output for all three malware samples

## Skills Demonstrated - Packet analysis and display filtering in **Wireshark** (`http.request`, `nbns`, `dhcp`) - Reconstructing a multi-stage **drive-by / exploit-kit infection chain** from raw traffic - Distinguishing legitimate page traffic from malicious redirects and exploit delivery - **Carving files** from a PCAP (Export Objects) and computing **file hashes** as IOCs - Safe malware handling (analyze and hash, never execute) - **MITRE ATT&CK** mapping and structured incident reporting ## Notes & Safety - This analysis was performed on a packet capture (a passive recording). A PCAP cannot infect the analyst's machine. - The extracted `.exe` is **live malware** and was only hashed, never executed. It was saved with a non-executable extension to prevent accidental launch. - This is a learning/portfolio exercise using a public training PCAP from malware-traffic-analysis.net.