[ PART 1 OF 3 ]     [ PART 3 OF 3 ]

2014-03-23 - MAGNITUDE EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-23-Magnitude-EK-java-exploit.jar
File size:  12.9 KB ( 13191 bytes )
MD5 hash:  9fb568df9f245f5fe6696f7c7a4bf8e4
Detection ratio:  2 / 51
First submission:  2014-03-23 22:22:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/585a72e19ba4c06c9b327f695def1af4379c925b75d586ea110bf3b0e40879ac/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-23-Magnitude-EK-malware-payload.exe
File size:  145.9 KB ( 149395 bytes )
MD5 hash:  151f35f49fb016778bac3c0cb8b13398
Detection ratio:  6 / 51
First submission:  2014-03-23 22:22:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/87b9e97f37e6bfc91e3c4ba0508ad89f68aa7eb6856b143912b141f8b54b34ed/analysis/
Malwr link:  https://malwr.com/analysis/NWI1ZjIyMTBlODcxNGJmNjkwOTk2ZGYyYjFiZTBiZTM/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in web page from compromised server - www.locandadalciano.com/

 

First redirect by iframe in page from compromised website - bit.do/iV69?wmode=transparent

 

Second redirect usign Flash ad - nusc.in/p4/ and nusc.in/p4/red2.swf

 

Final redirect - bnxm.biz/?pi4&se_referer=http://www.locandadalciano.com/

 

Magnitude EK delivers Java exploit -
27.e97a7fd.4e.15b.6f7.ca0726.6f2744.f70.pidzfnbzozvj.pendates.in/6bf3ad39357672e20ff1c3ac07eb87bb/6ec5d11104b6614f1873305a16d4267d

 

Java exploit delivers EXE payload -
27.e97a7fd.4e.15b.6f7.ca0726.6f2744.f70.pidzfnbzozvj.pendates.in/6bf3ad39357672e20ff1c3ac07eb87bb/0


This EXE has been XOR-ed with the hex character: 0x29

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.