Malware-Traffic-Analysis.net - 2014-03-25 - Magnitude EK uses IE exploit CVE-2013-2551

2014-03-25 - MAGNITUDE EK USES IE EXPLOIT CVE-2013-2551

ASSOCIATED FILES:

NOTES:

The traffic here is similar to my previous blog entry on Mangitude EK yesterday.
Unlike yesterday, I saw more than one malware payload, and none of these were obfuscated.
I was also using IE 8, so the EK used CVE-2013-2551 before sending the Java exploit.
This was done on a physical host, and below are the registry updates for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

ASSOCIATED DOMAINS

12.25.127.34 - www.lonestarconstruction.com - Comrpomised website
50.17.198.28 - bit.do - First redirect by iframe in page from compromised website
108.162.199.56 - nusc.in - Second redirect using Flash ad
5.39.222.139 - bnxm.biz - Last redirect
67.196.50.155 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated.in - Magnitude EK
178.250.245.198 - 178.250.245.198 - Post-infection callback traffic

INFECTION CHAIN OF EVENTS (all times UTC)

06:45:53 - www.lonestarconstruction.com - GET /
06:45:54 - bit.do - GET /iV69
06:45:55 - nusc.in - GET /p4/
06:45:55 - nusc.in - GET /p4/red2.swf
06:45:56 - bnxm.biz - GET /?pi4&se_referer=http://www.lonestarconstruction.com/
06:45:57 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated.in - GET /
06:45:58 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated.in - GET /d91f0c04ca832715382dfa4dfbd603d9/1d4f57b22b8e53c8a5c2df610871ccad
06:45:59 - 67.196.50.155 - GET /?1b53cc1ee1f84a6a453d75829010904e
06:46:00 - 67.196.50.155 - GET /?27e2b5c1b76493f33f12f1e7e84d3fc0
06:46:00 - 67.196.50.155 - GET /?0271a51ca3217f348308031dfe183808
06:46:00 - 67.196.50.155 - GET /?7470aaeec6722e33c066f9db8d081ad6
06:46:02 - 67.196.50.155 - GET /?592052c193c6dcd2c12a05b36ae096c4
06:46:03 - 67.196.50.155 - GET /?6421abb3f46cf70c51fedf3cc53bad47
06:46:59 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated.in - GET /d91f0c04ca832715382dfa4dfbd603d9/ecdb4118cd898f390aaa52a37b7b9181
06:46:59 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated.in - GET /d91f0c04ca832715382dfa4dfbd603d9/ccea8e74e3d63620350f62f455136bce

POST-INFECTION CALLBACK TRAFFIC

06:48:34 UTC - 178.250.245.198 - GET /FqjxWLStzRB89G7oJanni9afR9C2XDXXHFxHKTnZdIpod[very long string of characters]

MALWARE PAYLOAD 1 OF 4

File name: 2014-03-25-Magnitude-EK-malware-payload-01.exe
File size: 147.3 KB ( 150813 bytes )
MD5 hash: 7722c904b6b3e9f3e512d32350feaaa2
Detection ratio: 10 / 51
First submission: 2014-03-25 17:43:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/114682495529476e4758265a47e2baf39ab19440c6aebd4a93b4df8dedacead3/analysis/
Malwr link: https://malwr.com/analysis/NGE1ZmYxYTYxYWJiNDU0NWE3NWI1MzY4NDk5MTMyYjg/

MALWARE PAYLOAD 2 OF 4

File name: 2014-03-25-Magnitude-EK-malware-payload-02.exe
File size: 280.0 KB ( 286720 bytes )
MD5 hash: b9aaa1511b1b58c65e428c6dbec124ee
Detection ratio: 10 / 51
First submission: 2014-03-25 17:45:09 UTC
VirusTotal link: https://www.virustotal.com/en/file/eb45fedd1b91a6e77c7b99fb50aaf76d844f402af37f083bd7290acc5b575f10/analysis/
Malwr link: https://malwr.com/analysis/NzY3NGI3ZDdiZTU0NGJkY2IxMmIxYTgxZDc5YmY4MDI/

MALWARE PAYLOAD 3 OF 4

File name: 2014-03-25-Magnitude-EK-malware-payload-03.exe
File size: 111.9 KB ( 114536 bytes )
MD5 hash: b6cee3f5c0872635b589e19c3dd97c2a
Detection ratio: 10 / 51
First submission: 2014-03-25 17:46:07 UTC
VirusTotal link: https://www.virustotal.com/en/file/4c9dfd7bc93c7eb6fb0dcf021d4c45640dc4017a4f3aad815cdb0480ba60fa8f/analysis/
Malwr link: https://malwr.com/analysis/MTU5MzdlYzIyMmE0NGI1ZDhkZGI3OTgyMjAyMDQ5MDU/

MALWARE PAYLOAD 4 OF 4

File name: 2014-03-25-Magnitude-EK-malware-payload-04.exe
File size: 318.8 KB ( 326488 bytes )
MD5 hash: ec393ea962e5e9c76fe8f78e90e81fea
Detection ratio: 4 / 34
First submission: 2014-03-25 17:48:07 UTC
VirusTotal link: https://www.virustotal.com/en/file/ecda684f4eef934067a0688f635a430a451ce031f9ad55e390f3f77a0a73f781/analysis/
Malwr link: https://malwr.com/analysis/ZmNiYTJmZWEwNjA3NDA5Njg2MDM0ZDQ2YzZlYjRjYzI/

JAVA EXPLOIT SENT AFTER THE CVE-2013-2551 EXPLOIT ALREADY RETREVIED THE MALWARE

File name: 2014-03-25-Magnitude-EK-java-exploit.jar
File size: 10.1 KB ( 10314 bytes )
MD5 hash: 7508f384489e6314c0a1532a17d82e97
Detection ratio: 4 / 51
First submission: 2014-03-25 17:43:21 UTC
VirusTotal link: https://www.virustotal.com/en/file/a790685d8d86d18674a882aafbd0a6142b654e6bfb0c988e049f5ef10aef0e11/analysis/

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

06:45:57 UTC - 67.196.50.155:80 - 192.168.1.107:50449 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013
06:45:58 UTC - 67.196.50.155:80 - 192.168.1.107:50450 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
06:45:59 UTC - 192.168.1.107:50451 - 67.196.50.155:80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013
06:45:59 UTC - 192.168.1.107:50451 - 67.196.50.155:80 - ET CURRENT_EVENTS NeoSploit - TDS
06:45:59 UTC - 67.196.50.155:80 - 192.168.1.107:50451 - ET POLICY PE EXE or DLL Windows file download
06:45:59 UTC - 67.196.50.155:80 - 192.168.1.107:50451 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
06:46:59 UTC - 67.196.50.155:80 - 192.168.1.107:50459 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
06:46:59 UTC - 67.196.50.155:80 - 192.168.1.107:50459 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
06:46:59 UTC - 67.196.50.155:80 - 192.168.1.107:50459 - ET INFO JAVA - Java Archive Download By Vulnerable Client
06:46:59 UTC - 192.168.1.107:50459 - 67.196.50.155:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013