2014-06-24 - MAGNITUDE EK - 64.187.226.178 - 1DF74E.A2B73.ABC.8E.CF29.FB.7D.BC.3DB9D2.UJMHCMJRSLOS.OCCURSDIRTY.IN

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

MAGNITUDE EK:

SOME OF THE POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  06bbeb139df460527adfdf112a9acd7270817f28
File size:  13.5 KB ( 13820 bytes )
MD5 hash:  c2fef7dc598471f562f0c3ebf8409fd2
Detection ratio:  4 / 52
First submission:  2014-06-24 19:13:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d57d66f70e35c8f038d68472eef756483b95329335f20da0a518e51e08f5eb6/analysis/

 

MALWARE DOWNLOADED

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

NOTE 1: These snort events were taken from Sguil on Security Onion.
NOTE 2: I recent found out that not all of the Sourcefire VRT signatures are firing on my Security Onion setup--haven't figured out why yet.

 

SCREENSHOTS

Cryptowall in action:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.