2014-03-12 - MAGNITUDE EK USES IE EXPLOIT

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-03-12-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-03-12-Magnitude-EK-malware.zip

NOTES:

• My previous blog entry for Magnitude EK traffic happened on 2014-01-14 (link).
• I'm fairly certain this IE exploit is based on CVE-2013-2551

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 217.23.48.5 - arthur-abele.de - Compromised website
• 67.196.49.168 - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw - Magnitude EK domain delivers IE exploit
• 67.196.49.168 - 67.196.49.168 - Magnitude EK IP address delivers malware

INFECTION CHAIN OF EVENTS

• 05:46:05 UTC - 192.168.204.183:51102 - 217.23.48.5:80 - arthur-abele.de - GET /images/erlkonig-translation
• 05:46:06 UTC - 192.168.204.183:51103 - 67.196.49.168:80 - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw - GET /
• 05:46:07 UTC - 192.168.204.183:51104 - 67.196.49.168:80 - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw - GET
  /abc22ce71d47731fe915cbd294089ac6/faa1e631c3aeb4b16c27b07b198fea74
• 05:46:09 UTC - 192.168.204.183:51105 - 67.196.49.168:80 - 67.196.49.168 - GET /?9e0d78512228aaf6fa2a8ed089ec3f0e
• 05:46:10 UTC - 192.168.204.183:51106 - 67.196.49.168:80 - 67.196.49.168 - GET /?f7a3b94d792b8f00e40e9d6e801509f0
• 05:46:11 UTC - 192.168.204.183:51107 - 67.196.49.168:80 - 67.196.49.168 - GET /?f60f4e229efb6ae319afeabe21e88f04
• 05:46:11 UTC - 192.168.204.183:51108 - 67.196.49.168:80 - 67.196.49.168 - GET /?53a556fd250f24a6a4993b39fc44255e
• 05:46:12 UTC - 192.168.204.183:51109 - 173.194.115.115:80 - www.google.com - GET /
• 05:46:13 UTC - 192.168.204.183:51110 - 67.196.49.168:80 - 67.196.49.168 - GET /?4a682b7a09ffdeeac144fc02aedadb11
• 05:46:13 UTC - 192.168.204.183:51111 - 67.196.49.168:80 - 67.196.49.168 - GET /?1927224897ec7fdbdabd53212e9b99c2
• 05:46:38 UTC - 192.168.204.183:51112 - 74.125.227.115:80 - www.google.com - GET /

 

PRELIMINARY MALWARE ANALYSIS

FIRST MALWARE PAYLOAD

File name:  2014-03-12-Magnitude-EK-payload-01.exe
File size:  124.0 KB ( 126976 bytes )
MD5 hash:  80f546ee8ff0d0ac37224b31bea23a03
Detection ratio:  6 / 50
First submission:  2014-03-12 06:37:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2eb10a302ca9d88c712ec3928e03959d791e55c517e58277073a390d1f4db433/analysis/
Malwr link:  https://malwr.com/analysis/ZjVlMGZiOTQxNmUzNDViNGEyMjJhMDdiOGU2NzQxNDA/

 

SECOND MALWARE PAYLOAD

File name:  2014-03-12-Magnitude-EK-payload-02.exe
File size:  111.9 KB ( 114536 bytes )
MD5 hash:  6f8621f52843f8f02abc11c2bccfcb45
Detection ratio:  4 / 50
First submission:  2014-03-12 06:38:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7662b3c7092229fe48f38f63436609cabf2129c1ac98a26ddd095e6efd5e116e/analysis/
Malwr link:  https://malwr.com/analysis/NGZkYWE1NzE1YmY5NDYwNDhhNTEwNjhmODA2MGQyNGY/

 

THIRD MALWARE PAYLOAD

File name:  2014-03-12-Magnitude-EK-payload-03.exe
File size:  353.8 KB ( 362264 bytes )
MD5 hash:  ffc37bc1d1e4bcf93d4d9ad0029f17a4
Detection ratio:  6 / 50
First submission:  2014-03-12 06:39:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dc5e01ce74bee5b362220e8762787d79ef57019fbc101c0adb5ff97f3a0331fa/analysis/
Malwr link:  https://malwr.com/analysis/YTVlNDY5MDI5NzE4NDQyZThkNThlMjJkNDNjYmE0MDg/

 

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

• 05:46:06 UTC - 192.168.204.183:65239 -> 192.168.204.2:53 - ET INFO DNS Query to a *.pw domain - Likely Hostile
• 05:46:06 UTC - 192.168.204.183:51103 -> 67.196.49.168:80 - ET INFO HTTP Request to a *.pw domain
• 05:46:06 UTC - 67.196.49.168:80 -> 192.168.204.183:51103 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013
• 05:46:07 UTC - 67.196.49.168:80 -> 192.168.204.183:51104 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
• 05:46:09 UTC - 192.168.204.183:51105 -> 67.196.49.168:80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013
• 05:46:09 UTC - 192.168.204.183:51105 -> 67.196.49.168:80 - ET CURRENT_EVENTS NeoSploit - TDS
• 05:46:09 UTC - 67.196.49.168:80 -> 192.168.204.183:51105 - ET POLICY PE EXE or DLL Windows file download
• 05:46:09 UTC - 67.196.49.168:80 -> 192.168.204.183:51105 - ET MALWARE Possible Windows executable sent when remote host claims to send html content

 

HIGHLIGHTS FROM THE TRAFFIC

Search result for web page returns javascript from compromised web server - arthur-abele.de/images/erlkonig-translation

 

Magnitude EK landing page - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw/

 

Magnitude EK delivers IE exploit -
6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw/abc22ce71d47731fe915cbd294089ac6/faa1e631c3aeb4b16c27b07b198fea74

 

Three HTTP GET requests for the three different pieces of malware:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-03-12-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-03-12-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.