2014-04-17 - MAGNITUDE EK FROM 67.196.3.69 - REFERREDKNEW.IN

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

MAGNITUDE EK:

SOME OF THE CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit - updated on 2014-04-17

File name:  2014-04-17-Magnitude-EK-java-exploit.jar
File size:  12.5 KB ( 12767 bytes )
MD5 hash:  6754ef2a19d785cb444946acf0f23a63
Detection ratio:  3 / 51
First submission:  2014-04-17 08:14:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/45b864d5d0005b82a58bac091bded3b84909878cc4287e84d7567ccb998fa2fd/analysis/

 

Like yesterday, the malware payloads all had to be de-obfuscated after extracting from the PCAP, because they were XOR-ed with 0x29 (see the screen shots section for a visual).

File name:  2014-04-17-Magnitude-EK-malware-payload-01.exe  -  MD5 hash: 9d3c3183848beb75ebdabe0e7795422c

 

File name:  2014-04-17-Magnitude-EK-malware-payload-02.exe  -  MD5 hash: dc3ebbc1adc63fece63d7635f6efccb0

 

File name:  2014-04-17-Magnitude-EK-malware-payload-03.exe  -  MD5 hash: 3a12bd5fbaacce5c8a28a0cb7ff120db

 

File name:  2014-04-17-Magnitude-EK-malware-payload-04.exe  -  MD5 hash: 74b5d99b8e2e52ec4867a9675240921c (same one seen yesterday)

 

File name:  2014-04-17-Magnitude-EK-malware-payload-05.exe  -  MD5 hash: 875e564cec70f315be73eddf4a539f97

 

File name:  2014-04-17-Magnitude-EK-malware-payload-06.exe  -  MD5 hash: d9bb863da6a9f77913bd6c242b7b22ac

 

Follow-up downloads during the post-infection traffic:

File name:  5minut1.exe  -  MD5 hash: 1bb4c583d6d233670aff17d9face62f9

 

File name:  5minut1-second-time.exe  -  MD5 hash: e92d600fc640f29c03c42073a9bda0d6

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS FROM THE TRAFFIC

hayatmersin.com (Compromised website) to anadoluengellilerkenti.com (First redirect):

 

anadoluengellilerkenti.com (First redirect) to cafenoirproductions.com (Second redirect):

 

cafenoirproductions.com (Second redirect) to Magnitude EK:

 

Like yesterday, all of the malware payloads were obfuscated.  The binaries were XOR-ed with 0x29, the ASCII character ")", as shown below:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.