2014-06-17 - MAGNITUDE EK FROM 212.38.166.94 - 6BA2A.20B.3A2.B0C.8DAB84.7DA44C1.89C.57.MUPQSUAR.INTOENGINEERED.IN

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FIRST RUN INFECTION CHAIN:

FIRST RUN POST-INFECTION TRAFFIC:

 

SECOND RUN INFECTION CHAIN:

SECOND RUN POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOADS - FIRST RUN:

 

MALWARE PAYLOADS - SECOND RUN:

 

JAVA EXPLOIT FROM THE SECOND RUN:

File name:  2014-06-17-Magnitude-EK-java-exploit.jar
File size:  13.6 KB ( 13942 bytes )
MD5 hash:  eed92670882f368ecf45f5dfc726375b
Detection ratio:  2 / 53
First submission:  2014-06-18 00:09:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6670b0beb22dc781d780e7f67066e552efe6942d539decc4dc338a40fe434d9/analysis/

 

SNORT EVENTS - FIRST RUN

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

NOTE: These Snort events were taken from Sguil on Security Onion

 

SNORT EVENTS - SECOND RUN

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE SECOND RUN

Embedded iframe in page from compromised website:

 

Redirect:

 

Magnitude EK delivers Java exploit:

 

EXE payloads (for each payload, every byte is XOR-ed with 0x1e):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.