2014-04-16 - MAGNITUDE EK FROM 67.196.3.67 - POUNDSWHOSE.IN

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

MAGNITUDE EK:

SOME OF THE CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit - updated on 2014-04-15

File name:  2014-04-16-Magnitude-EK-java-exploit.jar
File size:  12.8 KB ( 13111 bytes )
MD5 hash:  c329dcf93dab1471efa81fe4d2bd8157
Detection ratio:  2 / 51
First submission:  2014-04-16 07:14:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bffdf06d70b00e82ac84986b4bc720b13b63f66555630f7b3f850d408eae9434/analysis/

Malware payloads (all had to be de-obfuscated after extracting from the PCAP, because they were XOR-ed with 0x29 (see the screen shots section for a visual).

File name:  2014-04-16-Magnitude-EK-malware-payload-01.exe
VirusTotal link:  https://www.virustotal.com/en/file/7fbd059fa6a78e5baa0af91ae09ec43ef6a8977f2366b271cb7464af095c6d79/analysis/
File name:  2014-04-16-Magnitude-EK-malware-payload-02.exe
VirusTotal link:  https://www.virustotal.com/en/file/c6a365dafaa8eda82303ed986e039cdf884ca989ed7e6525be41625736fb5e15/analysis/
File name:  2014-04-16-Magnitude-EK-malware-payload-03.exe
VirusTotal link:  https://www.virustotal.com/en/file/f9dc524248ca403f96f4afbf9e1ce0bf29be64bfc73a738f6317b0a27c7657f3/analysis/
File name:  2014-04-16-Magnitude-EK-malware-payload-04.exe
VirusTotal link:  https://www.virustotal.com/en/file/4efcce91f347353e159e04c2c579fa032a7613861a460fbb1b42496d1fea3097/analysis/
File name:  2014-04-16-Magnitude-EK-malware-payload-05.exe
VirusTotal link:  https://www.virustotal.com/en/file/ec342510175c3baf67424e63893b56d906fc0a1bbf70e10616d4453d853df3f8/analysis/
File name:  2014-04-16-Magnitude-EK-malware-payload-06.exe
VirusTotal link:  https://www.virustotal.com/en/file/ec342510175c3baf67424e63893b56d906fc0a1bbf70e10616d4453d853df3f8/analysis/

Two files pulled from the user's AppData\Local\Temp directory:

File name:  UpdateFlashPlayer_734509f8.exe
VirusTotal link:  https://www.virustotal.com/en/file/f1ef15f1b72f28fce6503a4ad8019da8a5381899722bd48cf96884524e862d8e/analysis/
File name:  temp3344485282.exe
VirusTotal link:  https://www.virustotal.com/en/file/0c7d822bad3d639f58717fcb75008e0beb10945d0f149d2249d7aae435212fdf/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS FROM THE TRAFFIC

www.deportan.com.mx (Compromised website) to ironsportsbook.com (First redirect):

 

www.ironsportsbook.com (First redirect) to str420.wha.la (Second redirect):

 

str420.wha.la (Second redirect) to Magnitude EK:

 

All of the malware payloads were obfuscated.  The binaries were XOR-ed with 0x29, the ASCII character ")", as shown below:

 

An example of the spam that was briefly sent from my infected host.  The mail has a spoofed sender and spoofed sending IP address:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.