2014-08-15 - MAGNITUDE EK FROM 212.38.166.26 - RELUCTANTRID.IN

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

MAGNITUDE EK - FIRST RUN USING IE 8 - INFECTED THROUGH IE EXPLOIT CVE-2013-2551 (ALL TIMES UTC):

NOTE:  [!] shows where a malware payload was returned.

 

MAGNITUDE EK - SECOND RUN USING IE 10 - INFECTED THROUGH JAVA EXPLOIT (ALL TIMES UTC):

NOTE:  [!] shows where a malware payload was returned.  I only recovered 3 of the 4 payloads in the second run.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT (CVE-2014-0515):

File name:  2014-08-15-Magnitude-EK-flash-exploit.swf
File size:  5.2 KB ( 5334 bytes )
MD5 hash:  a25806d43e0eeb62e98fadc32cc18320
Detection ratio:  3 / 54
First submission:  2014-08-15 14:42:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a5fb9f7882b2153945e62100f5d541d1bda2c28d6a46bbe9c64f4c9374a7f5b9/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-15-Magnitude-EK-java-exploit.jar
File size:  13.6 KB ( 13932 bytes )
MD5 hash:  f4ab6fb1991af2ed3d97663757f018ab
Detection ratio:  2 / 54
First submission:  2014-08-15 14:43:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c81a53e9f8491d35cdee980546baba4a94af0cd7aaaf79cf4f6feafebe03474c/analysis/

 

FIRST RUN MALWARE PAYLOAD 1 OF 5:

File name:  2014-08-15-Magnitude-EK-first-run-malware-payload-1-of-5.exe
File size:  336.0 KB ( 344108 bytes )
MD5 hash:  0f3108797ea57a411efc35c836a0cd8a
Detection ratio:  2 / 54
First submission:  2014-08-15 14:43:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c59581f629a1d4ea1ba890808b894c3bc27c69b0c1ffa103638979b5a1d94d58/analysis/

 

FIRST RUN MALWARE PAYLOAD 2 OF 5 (ALSO SECOND RUN 2 OF 3):

File name:  2014-08-15-Magnitude-EK-first-run-malware-payload-2-of-5.exe
File name:  2014-08-15-Magnitude-EK-second-run-malware-payload-2-of-3.exe
File size:  392.0 KB ( 401408 bytes )
MD5 hash:  cb979cd2b04c9495e5acc1d07a6dda6b
Detection ratio:  4 / 53
First submission:  2014-08-15 14:43:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/562f7a5d993d4d4015ba596218418c08e38be747b35950853b950b22ad7dd7f2/analysis/

 

FIRST RUN MALWARE PAYLOAD 3 OF 5 (ALSO SECOND RUN 3 OF 3) - ZEMOT:

File name:  2014-08-15-Magnitude-EK-first-run-malware-payload-3-of-5.exe
File name:  2014-08-15-Magnitude-EK-second-run-malware-payload-3-of-3.exe
File size:  96.0 KB ( 98304 bytes )
MD5 hash:  3661b4d7267372471e9ff775d85a805d
Detection ratio:  12 / 54
First submission:  2014-08-15 14:45:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f77b875e6b8fd507605db6e0fdb28f8680a7068dca1670aee7d2cec313341221/analysis/

 

FIRST RUN MALWARE PAYLOAD 4 OF 5:

File name:  2014-08-15-Magnitude-EK-first-run-malware-payload-4-of-5.exe
File size:  88.0 KB ( 90112 bytes )
MD5 hash:  719f257f40dccecbf8536714f12321a1
Detection ratio:  12 / 54
First submission:  2014-08-15 14:45:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9e1e5defa192a7d125c8bba0be8a3ca887e9327db16a47fd562804bdbc34ca5d/analysis/

 

FIRST RUN MALWARE PAYLOAD 5 OF 5:

File name:  2014-08-15-Magnitude-EK-first-run-malware-payload-5-of-5.exe
File size:  95.0 KB ( 97280 bytes )
MD5 hash:  45b815baa2e4585555436160b679cd87
Detection ratio:  3 / 54
First submission:  2014-08-15 14:45:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bb57bb6bd2a4824f26d2e173ba3a7e8f4f4f2ae92e6595e32842ec87d5ab36fb/analysis/

 

SECOND RUN MALWARE PAYLOAD 1 OF 3 - CRYPTOWALL:

File name:  2014-08-15-Magnitude-EK-second-run-malware-payload-1-of-3.exe
File size:  174.5 KB ( 178688 bytes )
MD5 hash:  24ba0b21f3dd12f542c55670dba65c47
Detection ratio:  21 / 54
First submission:  2014-08-15 05:17:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/76dbc0b33a6431dce56b3b81b7815eb6620bae9ee0cd28a6f58f0596c28e74b4/analysis/

 

RERDOM MALWARE FOUND IN APPDATA\LOCAL\TEMP DIRECTORY:

File name:  2014-08-15-UpdateFlashPlayer_e3becc8a.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  3e8696df786c549d0e3c287b262e11eb
Detection ratio:  4 / 53
First submission:  2014-08-15 14:48:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dadbc9d67b3f128fe829026a5abcbb1d20e31df69af1fb56bf1a5f1353881730/analysis/

 

SNORT EVENTS FIRST RUN (IE 8)

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SNORT EVENTS SECOND RUN (IE 10)

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

ZEMOT INFECTION TRAFFIC

MALWARE:

File name:  2014-08-15-Magnitude-EK-first-run-malware-payload-3-of-5.exe
File name:  2014-08-15-Magnitude-EK-second-run-malware-payload-3-of-3.exe
MD5 hash:  3661b4d7267372471e9ff775d85a805d
VirusTotal link:  https://www.virustotal.com/en/file/f77b875e6b8fd507605db6e0fdb28f8680a7068dca1670aee7d2cec313341221/analysis/

 

INFECTION TRAFFIC:

NOTE:  [!] is where the follow-up Rerdom malware was downloaded.

 

SNORT EVENTS:

 

CRYPTOWALL INFECTION TRAFFIC

MALWARE:

File name:  2014-08-15-Magnitude-EK-second-run-malware-payload-1-of-3.exe
MD5 hash:  24ba0b21f3dd12f542c55670dba65c47
VirusTotal link:  https://www.virustotal.com/en/file/76dbc0b33a6431dce56b3b81b7815eb6620bae9ee0cd28a6f58f0596c28e74b4/analysis/

 

INFECTION TRAFFIC:

 

SNORT EVENTS:

 

Bitcoin account for ransom payment:  14ytdF3C9VRbttMfh9J56yR9ZWqfmFbBWN

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.