2014-09-10 - BIZCN GATE ACTOR'S GATE ON 75.102.9.195 POINTS TO MAGNITUDE EK

PCAP AND MALWARE:

 

NOTES:

UPDATE:

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND ASSOCIATED WITH BIZCN GATE ACTOR:

 

MAGNITUDE EK:

NOTE:  [!] shows where a malware payload was returned

 

POST-INFECTION TRAFFIC CAUSED BY MALWARE PAYLOAD 1 OF 4 AND 4 OF 4:

 

POST-INFECTION TRAFFIC CAUSED BY MALWARE PAYLOAD 2 OF 4:

 

POST-INFECTION TRAFFIC CAUSED BY MALWARE PAYLOAD 3 OF 4:

NOTE:  Running this malware on 2014-09-11 at 11:27 UTC gave the same traffic, but the TCP port 53 activity was on 76.73.102.74

 

OTHER POST-INFECTION TRAFFIC I COULDN'T ASSOCIATE WITH ANY OF THE MALWARE PAYLOADS:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-10-Magnitude-EK-flash-exploit.swf
File size:  13.9 KB ( 14232 bytes )
MD5 hash:  2286b79353ce67dd27bd2fa0292d221f
Detection ratio:  0 / 35
First submission:  2014-09-11 13:08:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/30ee1e990692e29fc7b3ba142a20dc8aed8d9d34134840987b105cbe297ba5fb/analysis/

 

MALWARE PAYLOAD 1 OF 4 (ZEMOT):

File name:  2014-09-10-Magnitude-EK-malware-payload-1.exe
File size:  166.1 KB ( 170128 bytes )
MD5 hash:  f36bd7daf65464ffd604dc1ec294b435
Detection ratio:  10 / 54
First submission:  2014-09-11 13:08:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0dc5af25eddb78ac612e23c8960e220ac9f8576537d9cace0647fec87bac5f6a/analysis/

 

MALWARE PAYLOAD 2 OF 4:

File name:  2014-09-10-Magnitude-EK-malware-payload-2.exe
File size:  124.0 KB ( 126976 bytes )
MD5 hash:  7c886a5cb0461367c261e51d6fc31eac
Detection ratio:  8 / 45
First submission:  2014-09-11 13:08:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/71ff08b7ee7b2ccd6404a5d07763f6d8fdec51e116883c3e59c58f543c70d827/analysis/

 

MALWARE PAYLOAD 3 OF 4:

File name:  2014-09-10-Magnitude-EK-malware-payload-3.exe
File size:  2014-09-11 13:09:15 UTC
MD5 hash:  216a47875426a0394e29a5f3db0a627a
Detection ratio:  13 / 53
First submission:  2014-09-11 13:09:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a7e7b07bd5fb66bbfc3c6c7f06a8fae8fc06b7d206e217c32927d18c13ace624/analysis/

 

MALWARE PAYLOAD 4 OF 4 (ANOTHER ZEMOT):

File name:  2014-09-10-Magnitude-EK-malware-payload-4.exe
File size:  166.4 KB ( 170354 bytes )
MD5 hash:  83b9f9f511a276f60c29c62bacc02d27
Detection ratio:  9 / 53
First submission:  2014-09-11 13:09:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8bcd43edf57f12ec54b01b120808f6cf8508e592478915b8f0d526c5c6f81620/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not inlcuding preprocessor events):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.