2014-03-25 - MAGNITUDE EK USES IE EXPLOIT CVE-2013-2551

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS (all times UTC)

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD 1 OF 4

File name:  2014-03-25-Magnitude-EK-malware-payload-01.exe
File size:  147.3 KB ( 150813 bytes )
MD5 hash:  7722c904b6b3e9f3e512d32350feaaa2
Detection ratio:  10 / 51
First submission:  2014-03-25 17:43:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/114682495529476e4758265a47e2baf39ab19440c6aebd4a93b4df8dedacead3/analysis/
Malwr link:  https://malwr.com/analysis/NGE1ZmYxYTYxYWJiNDU0NWE3NWI1MzY4NDk5MTMyYjg/

 

MALWARE PAYLOAD 2 OF 4

File name:  2014-03-25-Magnitude-EK-malware-payload-02.exe
File size:  280.0 KB ( 286720 bytes )
MD5 hash:  b9aaa1511b1b58c65e428c6dbec124ee
Detection ratio:  10 / 51
First submission:  2014-03-25 17:45:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eb45fedd1b91a6e77c7b99fb50aaf76d844f402af37f083bd7290acc5b575f10/analysis/
Malwr link:  https://malwr.com/analysis/NzY3NGI3ZDdiZTU0NGJkY2IxMmIxYTgxZDc5YmY4MDI/

 

MALWARE PAYLOAD 3 OF 4

File name:  2014-03-25-Magnitude-EK-malware-payload-03.exe
File size:  111.9 KB ( 114536 bytes )
MD5 hash:  b6cee3f5c0872635b589e19c3dd97c2a
Detection ratio:  10 / 51
First submission:  2014-03-25 17:46:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4c9dfd7bc93c7eb6fb0dcf021d4c45640dc4017a4f3aad815cdb0480ba60fa8f/analysis/
Malwr link:  https://malwr.com/analysis/MTU5MzdlYzIyMmE0NGI1ZDhkZGI3OTgyMjAyMDQ5MDU/

 

MALWARE PAYLOAD 4 OF 4

File name:  2014-03-25-Magnitude-EK-malware-payload-04.exe
File size:  318.8 KB ( 326488 bytes )
MD5 hash:  ec393ea962e5e9c76fe8f78e90e81fea
Detection ratio:  4 / 34
First submission:  2014-03-25 17:48:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ecda684f4eef934067a0688f635a430a451ce031f9ad55e390f3f77a0a73f781/analysis/
Malwr link:  https://malwr.com/analysis/ZmNiYTJmZWEwNjA3NDA5Njg2MDM0ZDQ2YzZlYjRjYzI/

 

JAVA EXPLOIT SENT AFTER THE CVE-2013-2551 EXPLOIT ALREADY RETREVIED THE MALWARE

File name:  2014-03-25-Magnitude-EK-java-exploit.jar
File size:  10.1 KB ( 10314 bytes )
MD5 hash:  7508f384489e6314c0a1532a17d82e97
Detection ratio:  4 / 51
First submission:  2014-03-25 17:43:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a790685d8d86d18674a882aafbd0a6142b654e6bfb0c988e049f5ef10aef0e11/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Chain of events from the compromised website to the Magnitude EK domain:

 

Magnitude EK sends IE exploit CVE-2013-2551:

 

Malware delivered by Magnitude EK after the CVE-2013-2551 exploit:

 

Java exploit sent after the four EXE payload files were delivered:

 

Post-infection callback traffic:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.