2014-03-12 - MAGNITUDE EK USES IE EXPLOIT

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

FIRST MALWARE PAYLOAD

File name:  2014-03-12-Magnitude-EK-payload-01.exe
File size:  124.0 KB ( 126976 bytes )
MD5 hash:  80f546ee8ff0d0ac37224b31bea23a03
Detection ratio:  6 / 50
First submission:  2014-03-12 06:37:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2eb10a302ca9d88c712ec3928e03959d791e55c517e58277073a390d1f4db433/analysis/
Malwr link:  https://malwr.com/analysis/ZjVlMGZiOTQxNmUzNDViNGEyMjJhMDdiOGU2NzQxNDA/

 

SECOND MALWARE PAYLOAD

File name:  2014-03-12-Magnitude-EK-payload-02.exe
File size:  111.9 KB ( 114536 bytes )
MD5 hash:  6f8621f52843f8f02abc11c2bccfcb45
Detection ratio:  4 / 50
First submission:  2014-03-12 06:38:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7662b3c7092229fe48f38f63436609cabf2129c1ac98a26ddd095e6efd5e116e/analysis/
Malwr link:  https://malwr.com/analysis/NGZkYWE1NzE1YmY5NDYwNDhhNTEwNjhmODA2MGQyNGY/

 

THIRD MALWARE PAYLOAD

File name:  2014-03-12-Magnitude-EK-payload-03.exe
File size:  353.8 KB ( 362264 bytes )
MD5 hash:  ffc37bc1d1e4bcf93d4d9ad0029f17a4
Detection ratio:  6 / 50
First submission:  2014-03-12 06:39:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dc5e01ce74bee5b362220e8762787d79ef57019fbc101c0adb5ff97f3a0331fa/analysis/
Malwr link:  https://malwr.com/analysis/YTVlNDY5MDI5NzE4NDQyZThkNThlMjJkNDNjYmE0MDg/

 

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Search result for web page returns javascript from compromised web server - arthur-abele.de/images/erlkonig-translation

 

Magnitude EK landing page - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw/

 

Magnitude EK delivers IE exploit -
6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw/abc22ce71d47731fe915cbd294089ac6/faa1e631c3aeb4b16c27b07b198fea74

 

Three HTTP GET requests for the three different pieces of malware:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.