2015-03-01 - MAGNITUDE EK - 188.138.68.68 - EFD6D9.02.3F.9874379.73336DA.A6800E.7B.XRDIP554S7QW.MATTERHANDLES.IN

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

MANGITUDE EK:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-03-01-Magnitude-EK-flash-exploit.swf
File size:  9.8 KB ( 10011 bytes )
MD5 hash:  5200317aadd2161c0c7e1d5a69e54475
Detection ratio:  5 / 57
First submission:  2015-03-01 17:41:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a024fd6928d10a85826ce1f7a01f6661b6a0abfa803ee9db3458a84f239821ae/analysis/

 

MALWARE PAYLOAD 1 OF 4 - CRYPTOWALL 3.0:

File name:  2015-03-01-Magnitude-EK-payload-1-of-4-CryptoWall-3.0.exe
File size:  136.5 KB ( 139776 bytes )
MD5 hash:  6c2221cf298fa4fcf58e696bc09ebe51
Detection ratio:  7 / 57
First submission:  2015-03-01 17:41:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c67ba1bce6777005635f02739c731d39d94c97a8ccacb475cf4b9dfe22017327/analysis/
Malwr link:  https://malwr.com/analysis/ODdlZjkyN2ExNDczNGNkOWI4ODc4MTMzM2Q5Mjc5ZWE/

Post-infection traffic:

  • 2015-03-01 19:48:49 UTC - myexternalip.com - GET /raw
  • 2015-03-01 19:48:49 UTC - 176.31.96.224 port 80 - le4um.com - POST /img1.php?n=4r7yelv4et89
  • 2015-03-01 19:49:11 UTC - 162.144.77.82 port 80 - itsafixation.com - POST /img2.php?r=4r7yelv4et89
  • 2015-03-01 19:49:12 UTC - 91.234.34.28 port 80 - freebie.net.ua - POST /img1.php?d=4r7yelv4et89
  • 2015-03-01 19:49:16 UTC - 176.31.96.224 port 80 - le4um.com - POST /img1.php?u=ozooywrl78x4j
  • 2015-03-01 19:49:37 UTC - 162.144.77.82 port 80 - itsafixation.com - POST /img2.php?q=ozooywrl78x4j
  • 2015-03-01 19:49:38 UTC - 91.234.34.28 port 80 - freebie.net.ua - POST /img1.php?e=ozooywrl78x4j
  • 2015-03-01 19:49:43 UTC - 176.31.96.224 port 80 - le4um.com - POST /img1.php?f=46wp4teaoei
  • 2015-03-01 19:50:00 UTC - google.com - GET /
  • 2015-03-01 19:50:01 UTC - www.google.co.uk - GET /?gfe_rd=cr&ei=aG3zVPL1M8Go8wfU54CoCA
  • 2015-03-01 19:50:04 UTC - 162.144.77.82 port 80 - itsafixation.com - POST /img2.php?o=46wp4teaoei
  • 2015-03-01 19:50:05 UTC - 91.234.34.28 port 80 - freebie.net.ua - POST /img1.php?z=46wp4teaoei
  • 2015-03-01 19:51:14 UTC - 193.25.112.225 port 80 - hoinar.info - POST /img2.php?y=k83l3eevau8q
  • 2015-03-01 19:51:15 UTC - 183.111.161.85 port 80 - basofttech.com - POST /renew/img2.php?t=k83l3eevau8q
  • 2015-03-01 19:51:16 UTC - 198.154.201.232 port 80 - precisioncheck.com - POST /img5.php?e=k83l3eevau8q
  • 2015-03-01 19:51:21 UTC - 176.31.96.224 port 80 - le4um.com - POST /img1.php?b=4p7h83nh4x
  • 2015-03-01 19:51:22 UTC - 111.221.44.235 port 80 - ghostpowered.net - POST /img3.php?h=4p7h83nh4x
  • 2015-03-01 19:51:29 UTC - 176.31.96.224 port 80 - le4um.com - POST /img1.php?w=w9odk5mk24e
  • 2015-03-01 19:51:31 UTC - 111.221.44.235 port 80 - ghostpowered.net - POST /img3.php?r=w9odk5mk24e
  • 2015-03-01 19:51:46 UTC - 176.31.96.224 port 80 - le4um.com - POST /img1.php?o=85f84fgeo00q7
  • 2015-03-01 19:51:46 UTC - 111.221.44.235 port 80 - ghostpowered.net - POST /img3.php?i=85f84fgeo00q7
  • 2015-03-01 19:52:19 UTC - DNS query for: paytoc4gtpn5czl2.torconnectpaycom [response: No such name]

Snort events:

  • various IP addresses port 80 - ET TROJAN CryptoWall Check-in (sid:2018452)
  • DNS query for: paytoc4gtpn5czl2.torconnectpaycom - ET TROJAN Cryptowall 3.0 .onion Proxy Domain (sid:2020182)
  • various IP addresses port 80 - [1:33450:2] MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection

 

MALWARE PAYLOAD 2 OF 4 - SIMDA:

File name:  2015-03-01-Magnitude-EK-payload-2-of-4-Simda.exe
File size:  878.5 KB ( 899584 bytes )
MD5 hash:  9c6b7775d502d83ca2094a8514228a90
Detection ratio:  5 / 57
First submission:  2015-03-01 17:43:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3395bcdef72c88c9fa322aaca468508f8e390e9ed781e15ffb5a6f10ef9e051e/analysis/
Malwr link:  https://malwr.com/analysis/OWExNDk0NjczNTk3NDJkOGFkN2YxZjU2MjkyYjNlOWE/

Post-infection traffic:

  • 2015-03-01 17:51:23 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?CE5531=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:23 UTC - 94.242.253.106 port 80 - report.3o79my79oc7s317u3m.com - POST /
  • 2015-03-01 17:51:37 UTC - 94.242.253.106 port 80 - update.0bgjbdfg4i.com - GET /?fb=kdajxpmmmZJkxcicl52Yy5egZ8ij[long string of characters]
  • 2015-03-01 17:51:37 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?1uOCE43=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:37 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?wSKU5m20=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:37 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?7aAA79e17=%96%C6%A3%D1%AA%
  • 2015-03-01 17:51:37 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?7uO1o58=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:37 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?cEI3q755=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:42 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?1i93qGM16=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:49 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?79uO709=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:50 UTC - www.bing.com - GET /chrome/report.html?55k5y55=%9B%EE%EDk%D9%DF[long string of characters]
  • 2015-03-01 17:51:50 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?79a1725=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:50 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?e79kUO57=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:50 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?A79e63=%96%C6%A3%D1%AA[long string of characters]
  • 2015-03-01 17:51:50 UTC - 198.37.114.178 port 80 - report.3o79my79oc7s317u3m.com - GET /?555e518=%96%C6%A3%D1%AA[long string of characters]

Snort events:

  • 198.37.114.178 port 80 - ET TROJAN Simda.C Checkin (sid:2016300)
  • 94.242.253.106 port 80 - ETPRO TROJAN Backdoor.Win32.Simda.abpn Checkin (sid:2807145)
  • 198.37.114.178 port 80 - [1:22937:5] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection
  • 94.242.253.106 port 80 - [1:26212:2] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection
  • www.bing.com - [1:20661:4] MALWARE-CNC Simbda variant outbound connection
  • www.bing.com - [1:25038:2] BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt

 

MALWARE PAYLOAD 3 OF 4 - ZBOT/BUNITU VARIANT:

File name:  2015-03-01-Magnitude-EK-payload-3-of-4-Zbot-Bunitu.exe
File size:  98.9 KB ( 101307 bytes )
MD5 hash:  dd022fe79d034c42e457a70b2b6e4156
Detection ratio:  4 / 57
First submission:  2015-03-01 17:43:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/18f05733f2d0fefdb27cabac4ad1abe511cdee57b840a2d54b95ea319552c8d7/analysis/
Malwr link:  https://malwr.com/analysis/NGY3NjZlZDczODU1NGQyMmE4Mzg3ZWY1YmY1NzZhZjU/

Post-infection traffic:

  • DNS query for: ns1.dianamyinfin.xyz - 110.201.5.111 first, then 125.83.138.92 throughout rest of the pcap
  • 2015-03-01 17:51:38 UTC - 95.211.233.121 port 53 - TCP traffic
  • 2015-03-01 17:51:39 UTC - google.com - TCP connection, but no traffic
  • 2015-03-01 17:51:39 UTC - 66.199.229.91 port 53 - TCP traffic
  • 2015-03-01 17:51:41 UTC - 85.17.144.8 port 53 - TCP traffic
  • 2015-03-01 17:51:42 UTC - 76.73.102.74 port 53 - TCP traffic and continues through rest of the pcap

Snort events:

  • 95.211.233.121 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (sid:2808226)
  • 66.199.229.91 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
  • 85.17.143.84 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
  • 76.73.102.74 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
  • 85.17.143.84 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
  • 76.73.102.74 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection

 

MALWARE PAYLOAD 4 OF 4 - REDYMS/RAMDO VARIANT:

File name:  2015-03-01-Magnitude-EK-payload-4-of-4-Redyms-Ramdo.exe
File size:  313.8 KB ( 321360 bytes )
MD5 hash:  2ff5694af15d0bc253654094fec497d8
Detection ratio:  0 / 57
First submission:  2015-03-01 17:44:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7cd4408e9d743e47d8fc193cb10ac591fe6612f42f669f6d8008d8ad43a879c1/analysis/
Malwr link:  https://malwr.com/analysis/ZTAzZGQ1ZWIyZTY5NGEyOWFkNzU2M2ZlNzljZjE5MjE/

Post-infection traffic:

  • 2015-03-01 17:53:14 UTC - www.google.com GET /
  • 2015-03-01 17:53:14 UTC - DNS query for: ywoqmcmwuqgysmcw.org [response: Server failure]
  • 2015-03-01 17:53:23 UTC - www.google.com GET /
  • 2015-03-01 17:54:10 UTC - www.google.com GET /
  • 2015-03-01 17:54:10 UTC - DNS query for: iqumgmcqwuqgaaus.org [response: No such name]
  • 2015-03-01 17:54:57 UTC - 166.78.144.80 port 80 - sksqqagakeicoeso.org POST /
  • 2015-03-01 17:54:57 UTC - www.google.com GET /
  • 2015-03-01 17:55:44 UTC - 192.42.116.41 port 80 - uoewuismooowgcui.org POST /
  • 2015-03-01 17:55:45 UTC - www.google.com GET /
  • 2015-03-01 17:56:32 UTC - 50.189.9.254 port 80 - uociwiiqgmqwwmkq.org POST /
  • 2015-03-01 17:56:34 UTC - 50.189.9.254 port 80 - uociwiiqgmqwwmkq.org GET /04.cab
  • 2015-03-01 17:56:34 UTC - 50.189.9.254 port 80 - uociwiiqgmqwwmkq.org GET /04.cab

Snort events:

  • www.google.com - port 80 - ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com) (sid:2018430)
  • 166.78.144.80 - port 80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
  • 192.42.116.41 - port 80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
  • 166.78.144.80 port 80 - ET TROJAN Connection to Georgia Tech Sinkhole IP (Possible Infected Host) (sid:2016994)
  • 50.189.9.254 port 80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)
  • 166.78.144.80 port 80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)
  • 192.42.116.41 port 80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)
  • 166.78.144.80 port 80 - ET TROJAN Known Sinkhole Response Header (sid:2016803)
  • 192.42.116.41 port 80 - ET TROJAN Known Sinkhole Response Header (sid:2016803)
  • www.google.com - port 80 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
  • 50.189.9.254 port 80 - [1:30547:2] MALWARE-CNC Win.Trojan.Ramdo variant outbound connection
  • 166.78.144.80 port 80 - [1:30547:2] MALWARE-CNC Win.Trojan.Ramdo variant outbound connection
  • 192.42.116.41 port 80 - [1:30547:2] MALWARE-CNC Win.Trojan.Ramdo variant outbound connection
  • 166.78.144.80 port 80 - [1:25018:3] BLACKLIST Connection to malware sinkhole
  • 192.42.116.41 port 80 - [1:30320:1] BLACKLIST Connection to malware sinkhole

 

SCREENSHOTS

Images from the CryptoWall 3.0 infection:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.