2014-10-09 - MAGNITUDE EK FROM 178.32.82.137 - 3D9A766.0EEC.BCF7E8.AF992.1E705.5F8D3.F658A0L7O9.PRESSTERMINALS.IN

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

MAGNITUDE EK:

 

SOME OF THE POST-INFECTION TRAFFIC:

CLICK-FRAUD TRAFFIC CAUSED BY RERDOM:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-09-Magnitude-EK-flash-exploit.swf
File size:  14.0 KB ( 14353 bytes )
MD5 hash:  970793de409f56b8783c4c86d7c2699c
Detection ratio:  1 / 55
First submission:  2014-10-09 14:51:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b9b3a25a248e2db8260733d849bafff6f881a985eb04ff213881a672bd1a7014/analysis/

 

MALWARE PAYLOADS

File name:  2014-10-09-Magnitude-EK-malware-payload-1-of-6.exe
MD5 hash: eb4cce3492507ab405e90a5248a7cd61  -  VirusTotal: link  -   Malwr.com: link

File name:  2014-10-09-Magnitude-EK-malware-payload-2-of-6.exe
MD5 hash: 1d2ff80c8790c79fc1137628bb49281d  -  VirusTotal: link  -   Malwr.com: link

File name:  2014-10-09-Magnitude-EK-malware-payload-3-of-6.exe
MD5 hash: fd8181250d8cfb907d86267b56e48e04  -  VirusTotal: link  -   Malwr.com: link

File name:  2014-10-09-Magnitude-EK-malware-payload-4-of-6.exe
MD5 hash: 8b717d8de3dcc7e0e9958637cc1cd9d2  -  VirusTotal: link  -   Malwr.com: link

File name:  2014-10-09-Magnitude-EK-malware-payload-5-of-6.exe
MD5 hash: fac32e50b561ac30fdd7d0adb709399e  -  VirusTotal: link  -   Malwr.com: link

File name:  2014-10-09-Magnitude-EK-malware-payload-6-of-6.exe
MD5 hash: 94ddd849ab085279d6efa3502d0734b3  -  VirusTotal: link  -   Malwr.com: link

File name:  UpdateFlashPlayer_811e7dfc.exe (Rerdom)
MD5 hash: 011012c54a264ab5991d64de0254c4fe  -  VirusTotal: link  -   Malwr.com: link

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.