2014-04-26 - MAGNITUDE EK FROM 193.169.245.5 - FEELCHIPS.IN

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE AND REDIRECTS

MAGNITUDE EK

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD 1 OF 4

File name:  2014-04-26-Magnitude-EK-malware-payload-01.exe
File size:  1.0 MB ( 1061376 bytes )
MD5 hash:  985f91d442f1f42dea39e4dde3eb15c9
Detection ratio:  11 / 51
First submission:  2014-04-26 08:20:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c465d198ddfddffb1285150b6ebeaf776ec17e7eb07a70a8e48e59d6f86b1c0a/analysis/
Malwr link:  https://malwr.com/submission/status/NWU0NTQxZGUwNTA1NDBmMjkzNzc5NDBkYjk3NDM1Yjc/
NOTE: Malwr's analysis was still pending several hours later, the last time I checked

 

MALWARE PAYLOAD 2 OF 4

File name:  2014-04-26-Magnitude-EK-malware-payload-02.exe
File size:  128.0 KB ( 131076 bytes )
MD5 hash:  048220fb83e77d675b99ad29f9d21d52
Detection ratio:  2 / 51
First submission:  2014-04-26 07:59:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ca9dad5b86940f33c51b67d9f39889eec914f318b700b44d877e77be15c787f/analysis/
Malwr link:  https://malwr.com/submission/status/MDljNWQ5OTA1N2IxNDZiNmExMWY4YWM3MWY4YWUzZGM/
NOTE: Malwr's analysis was still pending several hours later, the last time I checked

 

MALWARE PAYLOAD 3 OF 4

File name:  2014-04-26-Magnitude-EK-malware-payload-03.exe
File size:  144.0 KB ( 147456 bytes )
MD5 hash:  5c6654c44a6a4463448861a37c9a39f1
Detection ratio:  2 / 51
First submission:  2014-04-26 08:02:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/19efeae3a2ce5ce89c588996a6964f66388bf0cc3b6080506ba29c435b1b9354/analysis/
Malwr link:  https://malwr.com/submission/status/MzUxZjdiNmEyOTU5NDc4ZTg5ZjQ4NGRlYWMyZDhiMDI/
NOTE: Malwr's analysis was still pending several hours later, the last time I checked

 

MALWARE PAYLOAD 4 OF 4

File name:  2014-04-26-Magnitude-EK-malware-payload-04.exe
File size:  389.2 KB ( 398529 bytes )
MD5 hash:  ae4cc42547a9961bf235c0e5f7e3c6f5
Detection ratio:  8 / 51
First submission:  2014-04-26 06:33:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2140c49421afcf8c5016f0887e47820ba877be305ab5bfec922b5fb6ef460542/analysis/
Malwr link:  https://malwr.com/submission/status/NTkzZmE2ZWExMjQ5NDZkNzk1YmQxZjM5ZDAyOGY1NTU/
NOTE: Malwr's analysis was still pending several hours later, the last time I checked

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript appended to the compromised website's index page:

 

And similar javascript appended to the one of the site's javascript files:

 

The first redirect pointing to Magnitude EK:

 

Magnitude EK landing page:

 

Magnitude EK sending MSIE exploit CVE-2013-2551:

 

First HTTP GET request for malware after a successful CVE-2013-2551 exploit:


NOTE: Of the six HTTP GET requests for a payload, only four returned malware.

 

Post-infection malware callback to report.17931g93a79eiqgm.com:

 

Post-infection malware callback to older-hiuwm.com:

 

Post-infection malware callback to quarante-ml.com:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.