2017-08-04 - MAGNITUDE EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-08-04-Magnitude-EK-data-dump-6-pcaps.zip   1.99 MB (1,990,225 bytes)

• 2017-08-03-Magnitude-EK-sends-Cerber-ransomware-1st-run.pcap   (663,717 bytes)
• 2017-08-03-Magnitude-EK-sends-Cerber-ransomware-2nd-run.pcap   (785,769 bytes)
• 2017-08-03-Magnitude-EK-sends-Cerber-ransomware-3rd-run.pcap   (762,633 bytes)
• 2017-08-04-Magnitude-EK-sends-Cerber-ransomware-1st-run.pcap   (768,245 bytes)
• 2017-08-04-Magnitude-EK-sends-Cerber-ransomware-2nd-run.pcap   (774,780 bytes)
• 2017-08-04-Magnitude-EK-sends-Cerber-ransomware-3rd-run.pcap   (765,124 bytes)

• 2017-08-04-Magnitude-EK-data-dump-artifacts-and-malware.zip   2.47 MB (2,473,560 bytes)

• 2017-08-03-Cerber-decryption-instructions.bmp   (3,145,782 bytes)
• 2017-08-03-Cerber-decryption-instructions.hta   (78,098 bytes)
• 2017-08-03-Cerber-decryption-instructions.txt   (1,389 bytes)
• 2017-08-03-Mangitude-EK-payload-Cerber-1st-run.exe   (488,960 bytes)
• 2017-08-03-Mangitude-EK-payload-Cerber-2nd-run.exe   (562,176 bytes)
• 2017-08-03-Mangitude-EK-payload-Cerber-3rd-run.exe   (562,176 bytes)
• 2017-08-04-Cerber-decryption-instructions.bmp   (3,145,782 bytes)
• 2017-08-04-Cerber-decryption-instructions.hta   (77,947 bytes)
• 2017-08-04-Cerber-decryption-instructions.txt   (1,383 bytes)
• 2017-08-04-Mangitude-EK-payload-Cerber-1st-run.exe   (562,176 bytes)
• 2017-08-04-Mangitude-EK-payload-Cerber-2nd-run.exe   (568,320 bytes)
• 2017-08-04-Mangitude-EK-payload-Cerber-3rd-run.exe   (568,320 bytes)

NOTES:

• I didn't see any Flash exploits from Magnitude exploit kit (EK) when capturing these pcaps, despite trying a few different configurations for my vulnerable lab hosts.
• For more info on recent Magnitude EK activity, see the August 2017 Malwarebytes blog post, Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain

 

TRAFFIC

Shown above:  Traffic from an infected host filtered in Wireshark (1 of 6).

 

Shown above:  Traffic from an infected host filtered in Wireshark (2 of 6).

 

Shown above:  Traffic from an infected host filtered in Wireshark (3 of 6).

 

Shown above:  Traffic from an infected host filtered in Wireshark (4 of 6).

 

Shown above:  Traffic from an infected host filtered in Wireshark (5 of 6).

 

Shown above:  Traffic from an infected host filtered in Wireshark (6 of 6).

 

"MAGNIGATE" DOMAINS:

• 188.165.10[.]178 port 80 - 63b65c2hbbf1.salehad[.]com   (2017-08-03 1st run)
• 188.165.10[.]178 port 80 - 3763c87uc95awe75q.salehad[.]com   (2017-08-03 2nd run)
• 188.165.10[.]178 port 80 - a0869a8d9w.salehad[.]com   (2017-08-03 3rd run)
• 188.165.10[.177 port 80 - 227a7e7v5qc0o.letways[.]com   (2017-08-04 1st run)
• 188.165.10[.]177 port 80 - 0i3b0p71i1j7917.boxplea[.]com   (2017-08-04 2nd run)
• 188.165.10[.]177 port 80 - 4cb6mb4qb5m.boxplea[.]com   (2017-08-04 3rd run)

MAGNITUDE EK DOMAINS:

• 188.165.92[.]16 port 80 - 1lf56w032p7.liecup[.]win   (2017-08-03 1st run)
• 188.165.92[.]16 port 80 - 61kcef667t783zdk.saferam[.]space   (2017-08-03 2nd run)
• 188.165.92[.]16 port 80 - 7o582fdb6c3cg04.kidwine[.]website   (2017-08-03 3rd run)
• 188.165.92[.]18 port 80 - 9m91dx7h1eai.ranhat[.]space   (2017-08-04 1st run)
• 51.255.20[.]152 port 80 - 2fcdg7ef8.endsbig[.]bid   (2017-08-04 2nd run)
• 51.255.20[.]152 port 80 - bfl5d5f83o88.pivary[.]racing   (2017-08-04 3rd run)

CERBER POST-INFECTION TRAFFIC (2017-08-03 SAMPLES AND FIRST 2017-08-04 SAMPLE):

• 73.107.12[.]0 - 73.107.12[.]31 (73.107.12[.]0/27) UDP port 6893 - post-infection UDP scan
• 75.1.200[.]0 - 75.1.200[.]31 (75.1.200[.]0/27) UDP port 6893 - post-infection UDP scan
• 87.98.176[.]0 - 87.98.179[.]255 (87.98.176[.]0/22) UDP port 6893 - post-infection UDP scan
• 172.86.120[.]121 port 80 - qfjhpgbefuhenjp7.16g9ub[.]top - post-infection HTTP traffic

CERBER POST-INFECTION TRAFFIC (LAST TWO 2017-08-04 SAMPLES):

• 15.42.13[.]0 - 15.42.13[.]31 (15.42.13[.]0/27) UDP port 6893 - post-infection UDP scan
• 44.66.140[.]0 - 44.66.140[.]31 (44.66.140[.]0/27) UDP port 6893 - post-infection UDP scan
• 87.98.176[.]0 - 87.98.179[.]255 (87.98.176[.]0/22) UDP port 6893 - post-infection UDP scan
• 172.86.120[.]121 port 80 - qfjhpgbefuhenjp7.16g9ub[.]top - post-infection HTTP traffic

 

Shown above:  Some of the UDP traffic caused by a Cerber sample from 2017-08-04.

 

SHA256 HASHES

CERBER SAMPLES FROM MAGNITUDE EK:

• 1c26f6728257bc8e752f14917630e5b5670c3cb42e234ef323ee43fbd4cdc98c   -   2017-08-03 (1st run)
• f12d469b1b113966caadf3ba7d26be4326b66593acf643748f11c3151e33f69b   -   2017-08-03 (2nd run)
• 3333dae667ceb9589960bc8e3750afa17fc402058b70460d9bb4c75c8a618f73   -   2017-08-03 (3rd run)
• 30f55f1006e64ac6a8322ff8bda9ca50a35ff0d67f896b057e91043955e7a9c0   -   2017-08-04 (1st run)
• a146f0c5153dccc4401db2bdf226febf826a21e7b60699ecb7e18a9eb74f413c   -   2017-08-04 (2nd run)
• 6c94e19e92788be00ad0123b2b197a3248d6afb6a032d194821721f4b04c335e   -   2017-08-04 (3rd run)

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Shown above:  Cerber decryptor seen on 2017-08-04.

 

Click here to return to the main page.