2014-04-15 - MAGNITUDE EK FROM 67.196.3.66 - SUGGESTINGLOTS.IN

ASSOCIATED FILES:

• ZIP of the PCAPS:  2014-04-15-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-15-Magnitude-EK-malware.zip

NOTES:

• This traffic is similar to the Magnitude EK traffic I posted yesterday.
• There are enough differences, I though I'd do a (somewhat) quick post on this.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 110.4.45.36 - www.fitrahpower.com - Compromised website
• 31.210.48.79 - anadoluengellilerkenti.com - First redirect
• 77.66.44.201 - bealplay.com - Second redirect
• 67.196.3.66 - 44d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - Magnitude EK
• Various IP addresses - Post-infection callback traffic

COMPROMISED WEBSITE AND REDIRECTS:

• 05:53:56 UTC - www.fitrahpower.com - GET /
• 05:54:05 UTC - anadoluengellilerkenti.com - GET /img/trans/
• 05:54:06 UTC - bealplay.com - GET /wp-content/rotr/

MAGNITUDE EK:

• 05:54:06 - 4922944d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /
• 05:54:07 - 4923044d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/a9ab33635c540a8d9e44ed88b2be6294
• 05:54:16 - 4923144d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/9a11441ce87d793a4a54e691f638fb0e
• 05:54:16 - 4923244d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/1ba7556883beac340fdb4d2b3c9faaf4
• 05:54:16 - 4923344d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/1ba7556883beac340fdb4d2b3c9faaf4
• 05:54:16 - 4923444d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/9a11441ce87d793a4a54e691f638fb0e
• 05:54:16 - 4923544d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/9a11441ce87d793a4a54e691f638fb0e
• 05:54:16 - 4923644d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/9a11441ce87d793a4a54e691f638fb0e
• 05:54:16 - 4923744d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/0
• 05:54:16 - 4923844d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/9a11441ce87d793a4a54e691f638fb0e
• 05:54:16 - 4923944d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/9a11441ce87d793a4a54e691f638fb0e
• 05:54:17 - 4924044d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/1
• 05:54:17 - 4924144d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/2
• 05:54:18 - 4924344d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/3
• 05:54:19 - 4924444d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/4
• 05:54:19 - 4924644d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in - GET /0d5d9d73f9f909f2e4671bf2d8516a9b/5

SOME OF THE CALLBACK TRAFFIC:

• 05:54:17 UTC - 77.121.141.171 - unuse-bubler.com - GET /b/shoe/54675
• 05:54:19 UTC - 79.142.66.240 - report.1e93k793ws9e179e.com - GET /?79qG720=%96%CA%A3[long string of characters]
• 05:54:23 UTC - 37.139.108.182 - 37.139.108.182 - GET /mod2/5minut1.exe
• 05:54:26 UTC - 77.121.141.171 - unuse-bubler.com - GET /b/shoe/54675
• 05:54:29 UTC - 93.170.66.147 - bee-pass.com - GET /scripts-jumla/jquery/
• 05:54:49 UTC - 142.91.252.190 - kuawkswesmaaaqwm.org - POST /
• 05:55:05 UTC - 27.6.57.231 - 27.6.57.231 - GET /index.htm
• 05:55:07 UTC - 27.6.57.231 - 27.6.57.231 - GET /search.htm
• 05:55:19 UTC - 212.66.59.107 - 212.66.59.107 - GET /mod1/5minut1.exe
• 05:55:22 UTC - 54.72.9.51 - sev2012.com - GET /page_umax.php
• 05:55:24 UTC - 54.72.9.51 - sev2012.com - GET /page_umax.php
• 05:55:25 UTC - 54.72.9.51 - sev2012.com - GET /page_umax.php
• 05:55:26 UTC - 54.72.9.51 - sev2012.com - GET /page_umax.php
• 05:55:26 UTC - 54.72.9.51 - sev2012.com - GET /track.php?domain=sev2012.com&toggle=browserjs&uid=MTM[long string of characters]
• 05:55:26 UTC - 185.16.209.195 - 185.16.209.195 - GET /login.htm
• 05:55:31 UTC - 54.72.9.51 - sev2012.com - GET /track.php?domain=sev2012.com&caf=1&toggle=feed&feed=afc&uid=MTM[long string of characters]
• 05:55:32 UTC - 79.142.66.240 - report.e931eiqg7iqgm9g1i.com - GET /?CEIQ20=%96%CA%A3%[long string of characters]
• 05:57:46 UTC - 109.87.222.148 - bee-pass.com - GET /info-data/soft32.dll
• 05:57:57 UTC - 185.13.32.67 - baggonally.com - POST /forumdisplay.php?fid=257361666
• 05:58:00 UTC - 185.13.32.67 - baggonally.com - POST /post.aspx?messageID=1226717408
• 05:58:00 UTC - 185.13.32.67 - baggonally.com - POST /post.aspx?messageID=1929733448
• 05:58:10 UTC - 91.230.61.162 - kuawkswesmaaaqwm.org - POST /
• 06:00:43 UTC - 89.45.5.97 - 89.45.5.97 - GET /home.htm
• 06:00:44 UTC - 89.45.5.97 - 89.45.5.97 - GET /index.htm
• 06:00:45 UTC - 46.187.31.8 - 46.187.31.8 - GET /install.htm
• 06:00:46 UTC - 92.244.121.3 - 92.244.121.3 - GET /index.htm
• 06:00:47 UTC - 92.244.121.3 - 92.244.121.3 - GET /setup.htm
• 06:01:00 UTC - 54.72.9.51 - sev2012.com - GET /page_umax.php
• 06:01:00 UTC - 54.72.9.51 - sev2012.com - GET /track.php?domain=sev2012.com&toggle=browserjs&uid=MTM[long string of characters]
• 06:01:01 UTC - 54.72.9.51 - sev2012.com - GET /track.php?domain=sev2012.com&caf=1&toggle=feed&feed=afc&uid=MTM[long string of characters]
• 06:02:04 UTC - 176.73.175.44 - 176.73.175.44 - GET /install.htm

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-04-15-Magnitude-EK-malware-payload-01.exe
VirusTotal link:  https://www.virustotal.com/en/file/b0b9202f721b0717865aa94869028b3bd56de022f575982b27929e133ea1bc1c/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-02.exe
VirusTotal link:  https://www.virustotal.com/en/file/3bd6d13b4c5be578ec5b2ab4718fd143585b90d88634956e895564d5a15038eb/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-03.exe
VirusTotal link:  https://www.virustotal.com/en/file/f56a8067d213b40a3e4735abcf7ca4707dd38ad736c10033822d580c4dbaf7db/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-04.exe
VirusTotal link:  https://www.virustotal.com/en/file/0c192077738004434dab51212ae9d7628c90dbc2d19a09cc66cf3ff192ad5795/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-05.exe
VirusTotal link:  https://www.virustotal.com/en/file/377bec82f9fd25ca2bb9e2b8f061f891080e123f23a0970a0deef3e31f88abd6/analysis/

File name:  2014-04-15-Magnitude-EK-malware-payload-06.exe
VirusTotal link:  https://www.virustotal.com/en/file/55e1508e841b20a46b97516acf9da8aea15c080b9a50b1288e71f04e7cb9a890/analysis/

File name:  UpdateFlashPlayer_36ebcffd.exe
VirusTotal link:  https://www.virustotal.com/en/file/63196d84da284328361e6ac9b45cd9f1a1f88701916dcea9796dbdf41b7c43bc/analysis/

File name:  soft32.dll
VirusTotal link:  https://www.virustotal.com/en/file/e2ba39c3ecece8c89cac6f815952157c3447be7d69820f328c2d04c721e40238/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-15 05:54:06 UTC - 67.196.3.66:80 - 192.168.204.228:49229 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013
• 2014-04-15 05:54:07 UTC - 67.196.3.66:80 - 192.168.204.228:49230 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
• 2014-04-15 05:54:16 UTC - 192.168.204.228:49231 - 67.196.3.66:80 - ET POLICY Vulnerable Java Version 1.6.x Detected
• 2014-04-15 05:54:16 UTC - 192.168.204.228:49231 - 67.196.3.66:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013
• 2014-04-15 05:54:16 UTC - 67.196.3.66:80 - 192.168.204.228:49232 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
• 2014-04-15 05:54:16 UTC - 67.196.3.66:80 - 192.168.204.228:49232 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 2014-04-15 05:54:16 UTC - 67.196.3.66:80 - 192.168.204.228:49232 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-15 05:54:16 UTC - 192.168.204.228:49237 - 67.196.3.66:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request
• 2014-04-15 05:54:19 UTC - 192.168.204.228:49245 - 79.142.66.240:80 - ET TROJAN Simda.C Checkin
• 2014-04-15 05:54:23 UTC - 192.168.204.228:49248 - 37.139.108.182:80 - ET INFO Exectuable Download from dotted-quad Host
• 2014-04-15 05:54:23 UTC - 37.139.108.182:80 - 192.168.204.228:49248 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-15 05:54:23 UTC - 37.139.108.182:80 - 192.168.204.228:49248 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
• 2014-04-15 05:54:23 UTC - 37.139.108.182:80 - 192.168.204.228:49248 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-04-15 05:54:30 UTC - 93.170.66.147:80 - 192.168.204.228:49251 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-15 05:54:30 UTC - 93.170.66.147:80 - 192.168.204.228:49251 - GPL SHELLCODE x86 NOOP
• 2014-04-15 05:54:30 UTC - 93.170.66.147:80 - 192.168.204.228:49251 - ET INFO EXE - Served Attached HTTP
• 2014-04-15 05:54:30 UTC - 93.170.66.147:80 - 192.168.204.228:49251 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
• 2014-04-15 05:55:05 UTC - 192.168.204.228:49283 - 27.6.57.231:80 - ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)
• 2014-04-15 05:55:05 UTC - 192.168.204.228:49283 - 27.6.57.231:80 - ET TROJAN Win32/Kelihos.F Checkin
• 2014-04-15 05:55:06 UTC - 27.6.57.231:80 - 192.168.204.228:49283 - ET TROJAN Suspicious double Server Header
• 2014-04-15 05:55:20 UTC - 212.66.59.107:80 - 192.168.204.228:49288 - ET TROJAN Suspicious double Server Header
• 2014-04-15 05:55:20 UTC - 212.66.59.107:80 - 192.168.204.228:49288 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-15 05:55:20 UTC - 212.66.59.107:80 - 192.168.204.228:49288 - ET INFO EXE Download With Content Type Specified As Empty
• 2014-04-15 05:55:20 UTC - 212.66.59.107:80 - 192.168.204.228:49288 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
• 2014-04-15 05:55:20 UTC - 212.66.59.107:80 - 192.168.204.228:49288 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-04-15 05:57:57 UTC - 192.168.204.228:49172 - 185.13.32.67:80 - ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC Beacon
• 2014-04-15 05:59:28 UTC - 192.168.204.228:49201 - 74.125.227.179:80 - ET TROJAN Zeus Bot Request to CnC
• 2014-04-15 06:00:44 UTC - 89.45.5.97:80 - 192.168.204.228:49229 - ET TROJAN Suspicious double Server Header
• 2014-04-15 06:00:46 UTC - 92.244.121.3:80 - 192.168.204.228:49241 - ET TROJAN Suspicious double Server Header

 

FROM THE COMPROMISED WEBSITE TO THE EXPLOIT KIT

www.fitrahpower.com (Compromised website) to anadoluengellilerkenti.com (First redirect):

 

anadoluengellilerkenti.com (First redirect) to bealplay.com (Second redirect)

 

bealplay.com (Second redirect) to Magnitude EK

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPS:  2014-04-15-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-15-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.