2014-04-15 - MAGNITUDE EK FROM 67.196.3.66 - SUGGESTINGLOTS.IN

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

MAGNITUDE EK:

SOME OF THE CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-04-15-Magnitude-EK-malware-payload-01.exe
VirusTotal link:  https://www.virustotal.com/en/file/b0b9202f721b0717865aa94869028b3bd56de022f575982b27929e133ea1bc1c/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-02.exe
VirusTotal link:  https://www.virustotal.com/en/file/3bd6d13b4c5be578ec5b2ab4718fd143585b90d88634956e895564d5a15038eb/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-03.exe
VirusTotal link:  https://www.virustotal.com/en/file/f56a8067d213b40a3e4735abcf7ca4707dd38ad736c10033822d580c4dbaf7db/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-04.exe
VirusTotal link:  https://www.virustotal.com/en/file/0c192077738004434dab51212ae9d7628c90dbc2d19a09cc66cf3ff192ad5795/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-05.exe
VirusTotal link:  https://www.virustotal.com/en/file/377bec82f9fd25ca2bb9e2b8f061f891080e123f23a0970a0deef3e31f88abd6/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-06.exe
VirusTotal link:  https://www.virustotal.com/en/file/55e1508e841b20a46b97516acf9da8aea15c080b9a50b1288e71f04e7cb9a890/analysis/

File name:  UpdateFlashPlayer_36ebcffd.exe
VirusTotal link:  https://www.virustotal.com/en/file/63196d84da284328361e6ac9b45cd9f1a1f88701916dcea9796dbdf41b7c43bc/analysis/

File name:  soft32.dll
VirusTotal link:  https://www.virustotal.com/en/file/e2ba39c3ecece8c89cac6f815952157c3447be7d69820f328c2d04c721e40238/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

FROM THE COMPROMISED WEBSITE TO THE EXPLOIT KIT

www.fitrahpower.com (Compromised website) to anadoluengellilerkenti.com (First redirect):

 

anadoluengellilerkenti.com (First redirect) to bealplay.com (Second redirect)

 

bealplay.com (Second redirect) to Magnitude EK

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.