2014-04-14 - MAGNITUDE EK FROM 67.196.3.65 - MSIE EXPLOIT - 6 MALWARE PAYLOADS

ASSOCIATED FILES:

NOTES:

UPDATE

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

MAGNITUDE EK:

SOME OF THE CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD 1 OF 6

File name:  2014-04-14-Magnitude-EK-malware-payload-01.exe
File size:  184.0 KB ( 188416 bytes )
MD5 hash:  0b2d40aadc212b4b0e7cb92fdebc4b7b
Detection ratio:  7 / 51
First submission:  2014-04-14 02:45:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/64c6764f569a663407552b98b5458757145b97e0513805ff9acd65352f7596c1/analysis/
Malwr link:  https://malwr.com/analysis/YjgwYmMwYTYzZWI5NGJlZTk1MmMwODNjYTM1MTVjODQ/

 

MALWARE PAYLOAD 2 OF 6

File name:  2014-04-14-Magnitude-EK-malware-payload-02.exe
File size:  18.5 KB ( 18961 bytes )
MD5 hash:  fa1a4222772ca5ea96a6b778a0bf8dec
Detection ratio:  11 / 50
First submission:  2014-04-14 02:45:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/45186539e70565c96ec0192bc1ebdd34eb0db3b02dbb73b81e561dc99ce9f79f/analysis/
Malwr link:  https://malwr.com/analysis/NmE4NjMzYzAxYWZjNGZmZThmNWRlYzI1OTU4YjhhZTI/

 

MALWARE PAYLOAD 3 OF 6

File name:  2014-04-14-Magnitude-EK-malware-payload-03.exe
File size:  752.0 KB ( 770025 bytes )
MD5 hash:  82e4c565becaf62d03881fd605dcbab4
Detection ratio:  7 / 50
First submission:  2014-04-14 02:46:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ced2bc6ea437fe62e8e113d9212eeac02a8891c801977f26d13ddbf094ee914a/analysis/
Malwr link:  https://malwr.com/analysis/MzIwMTQ3N2QyOTIzNDJjOWI1YzBjMjVkYzZhYmE4YTA/

 

MALWARE PAYLOAD 4 OF 6

File name:  2014-04-14-Magnitude-EK-malware-payload-04.exe
File size:  264.0 KB ( 270336 bytes )
MD5 hash:  67b9255666e55634e07cb01aa45d162d
Detection ratio:  4 / 51
First submission:  2014-04-14 02:46:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d5a8426cb19e04e4424ffb472e274469e259cafe7b5e1a24310bc6b0cc9cb19d/analysis/
Malwr link:  https://malwr.com/analysis/MjQ1NzAxNWI2YmRkNDJlYzkwODc0Y2NlOTY2NDRkMjc/

 

MALWARE PAYLOAD 5 OF 6

File name:  2014-04-14-Magnitude-EK-malware-payload-05.exe
File size:  103.9 KB ( 106344 bytes )
MD5 hash:  1bbe05033f248d337acfe791a405dcc7
Detection ratio:  4 / 49
First submission:  2014-04-14 02:47:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9b8aa1c3f14518d83aa6ceb109518d1a31a98720dabd262928f06bca044230f3/analysis/
Malwr link:  https://malwr.com/analysis/OGFjNzJjN2JhMDM1NDlmNDkxMGJlOWE0ZTMzMzU4ZTE/

 

MALWARE PAYLOAD 6 OF 6

File name:  2014-04-14-Magnitude-EK-malware-payload-06.exe
File size:  388.7 KB ( 398065 bytes )
MD5 hash:  9c6de625314482f9e73689bf375bf3cc
Detection ratio:  7 / 50
First submission:  2014-04-14 02:47:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2cd2fa449ec2c4e65daa309bcbdde67af4b255d9280e82a1b83cf23b3ae62dd9/analysis/
Malwr link:  https://malwr.com/analysis/ZGRlYzU5MDFiZWJjNDljOGI2ZDVlMjU4YjliYmNlNzU/

 

POST-INFECTION MALWARE DOWNLOAD 1 OF 2

File name:  5minut1.exe
File size:  751.5 KB ( 769536 bytes )
MD5 hash:  63f9122bfed825396e2ecd3d28022aa6
Detection ratio:  15 / 50
First submission:  2014-04-14 03:12:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e2f97907b66028d3c23382f8811d0842b6a556bc118f2ef520e13962d4281f2/analysis/1397445170/
Malwr link:  https://malwr.com/analysis/MTg5OTZhYTZhOWRlNDI1NDg2ZGVmYWYxZjgwZWU3NWI/#network

 

POST-INFECTION MALWARE DOWNLOAD 2 OF 2

File name:  5minut1-second-time.exe
File size:  809.5 KB ( 828944 bytes )
MD5 hash:  45c7fe3c32b71045d02a64cd26464d5f
Detection ratio:  15 / 51
First submission:  2014-04-14 03:33:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b520e6a8520e0ff02e15176220e0953727bc50d00b42ef0bc39c4de66cf991f2/analysis/
Malwr link:  https://malwr.com/analysis/OGQ4N2QxNmYwZTVjNDMwNWFlZGY0M2FhMDE1NjhjZDM/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page:

 

First redirect:

 

Second redirect:

 

Magnitude EK delivers CVE-2013-2551 MSIE exploit:

 

First of six EXE payloads (the rest are sent in a similar manner):

 

The malware included cryptolocker-style ransomware.  It created the following icons on my desktop--I've opened the text file for this screen shot:

 

Follow the link:

 

And here's the ransom web page telling me how I can recover my files:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.