2014-04-16 - MAGNITUDE EK FROM 67.196.3.67 - POUNDSWHOSE.IN

ASSOCIATED FILES:

• ZIP of the PCAPS:  2014-04-16-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-16-Magnitude-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 71.18.74.2 - www.deportan.com.mx - Compromised website
• 72.52.6.159 - ironsportsbook.com and www.ironsportsbook.com - First redirect
• 144.76.161.34 - str420.wha.la - Second redirect
• 67.196.3.67 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - Magnitude EK
• Various IP addresses - Post-infection callback traffic

COMPROMISED WEBSITE AND REDIRECTS:

• 04:43:25 UTC - 71.18.74.2 - www.deportan.com.mx - GET /
• 04:43:28 UTC - 72.52.6.159 - ironsportsbook.com - GET /
• 04:43:29 UTC - 72.52.6.159 - www.ironsportsbook.com - GET /
• 04:43:32 UTC - 144.76.161.34 - str420.wha.la - GET /zxzzzzzdddff/?id=ts

MAGNITUDE EK:

• 04:43:33 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /
• 04:43:36 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/f577b0751baac3f50237cb2f014b8786
• 04:43:45 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/ff484253f1d9bbed2efd0faea0775390
• 04:43:45 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/3af6a2919fc635cce651ff32b6306fbc
• 04:43:45 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/ff484253f1d9bbed2efd0faea0775390
• 04:43:45 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/ff484253f1d9bbed2efd0faea0775390
• 04:43:45 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/1c102750d161ffad74861689f566dfce
• 04:43:45 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/1c102750d161ffad74861689f566dfce
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/ff484253f1d9bbed2efd0faea0775390
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/mo.class
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/mo.class
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/0
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/mo.class
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/mo.class
• 04:43:46 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/1
• 04:43:47 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/2
• 04:43:48 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/3
• 04:43:48 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/4
• 04:43:49 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in - GET /eaa7c5381720f0de81b61db51b824541/5

SOME OF THE CALLBACK TRAFFIC:

• 04:43:48 UTC - 178.74.237.103 - unuse-bubler.com - GET /b/shoe/54675
• 04:43:49 UTC - 79.142.66.240 - report.9e17k3yw931g9i1q9w1.com - GET /?q7wS1e20=%96%98%A2[long string of characters]
• 04:43:50 UTC - 178.74.237.103 - unuse-bubler.com - GET /b/shoe/54675
• 04:43:52 UTC - 109.227.123.84 - bee-pass.com - GET /scripts-jumla89/jquery/
• 04:43:52 UTC - 94.251.98.15 - 94.251.98.15 - GET /mod1/5minut1.exe
• 04:44:04 UTC - 193.32.14.186 - 193.32.14.186 - GET /mod2/5minut1.exe
• 04:44:09 UTC - 79.142.66.240 - report.1eiqg79a17eiq7ws.com - GET /?mYW55y20=%96%98%A2[long string of characters]
• 04:44:20 UTC - 49253 74.125.227.178 - www.google.com - GET /
• 04:44:32 UTC - 185.13.32.67 - baggonally.com - POST /forumdisplay.php?fid=1640563286
• 04:44:35 UTC - 185.13.32.67 - baggonally.com - POST /post.aspx?messageID=1623142474
• 04:44:35 UTC - 185.13.32.67 - baggonally.com - POST /post.aspx?messageID=1082594727
• 04:44:38 UTC - 146.185.233.38 - 146.185.233.38 - GET /update?v=778
• 04:45:07 UTC - 212.75.6.27 - 212.75.6.27 - GET /main.htm
• 04:46:09 UTC - 212.75.6.27 - 212.75.6.27 - GET /index.htm
• 04:46:21 UTC - 54.72.9.51 - sev2012.com - GET /page_alph.php
• 04:46:22 UTC - 54.72.9.51 - sev2012.com - GET /page_alph.php
• 04:46:23 UTC - 181.46.31.121 - 181.46.31.121 - GET /main.htm
• 04:46:23 UTC - 54.72.9.51 - sev2012.com - GET /track.php?domain=sev2012.com&toggle=browserjs&uid=MTM5[string of characters]
• 04:46:24 UTC - 54.72.9.51 - sev2012.com - GET /track.php?domain=sev2012.com&caf=1&toggle=feed&feed=afc&uid=MTM5[string of characters]
• 04:46:28 UTC - 181.46.31.121 - 181.46.31.121 - GET /welcome.htm
• 04:46:51 UTC - 109.227.123.84 - bee-pass.com - GET /scripts-jumla89/ajax/
• 04:46:58 UTC - 213.231.6.196 - red-stoneses.com - GET /b/eve/1475ec61e82ab002488f26c8

 

PRELIMINARY MALWARE ANALYSIS

Java exploit - updated on 2014-04-15

File name:  2014-04-16-Magnitude-EK-java-exploit.jar
File size:  12.8 KB ( 13111 bytes )
MD5 hash:  c329dcf93dab1471efa81fe4d2bd8157
Detection ratio:  2 / 51
First submission:  2014-04-16 07:14:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bffdf06d70b00e82ac84986b4bc720b13b63f66555630f7b3f850d408eae9434/analysis/

Malware payloads (all had to be de-obfuscated after extracting from the PCAP, because they were XOR-ed with 0x29 (see the screen shots section for a visual).

File name:  2014-04-16-Magnitude-EK-malware-payload-01.exe
VirusTotal link:  https://www.virustotal.com/en/file/7fbd059fa6a78e5baa0af91ae09ec43ef6a8977f2366b271cb7464af095c6d79/analysis/

File name:  2014-04-16-Magnitude-EK-malware-payload-02.exe
VirusTotal link:  https://www.virustotal.com/en/file/c6a365dafaa8eda82303ed986e039cdf884ca989ed7e6525be41625736fb5e15/analysis/

File name:  2014-04-16-Magnitude-EK-malware-payload-03.exe
VirusTotal link:  https://www.virustotal.com/en/file/f9dc524248ca403f96f4afbf9e1ce0bf29be64bfc73a738f6317b0a27c7657f3/analysis/

File name:  2014-04-16-Magnitude-EK-malware-payload-04.exe
VirusTotal link:  https://www.virustotal.com/en/file/4efcce91f347353e159e04c2c579fa032a7613861a460fbb1b42496d1fea3097/analysis/

File name:  2014-04-16-Magnitude-EK-malware-payload-05.exe
VirusTotal link:  https://www.virustotal.com/en/file/ec342510175c3baf67424e63893b56d906fc0a1bbf70e10616d4453d853df3f8/analysis/

File name:  2014-04-16-Magnitude-EK-malware-payload-06.exe
VirusTotal link:  https://www.virustotal.com/en/file/ec342510175c3baf67424e63893b56d906fc0a1bbf70e10616d4453d853df3f8/analysis/

Two files pulled from the user's AppData\Local\Temp directory:

File name:  UpdateFlashPlayer_734509f8.exe
VirusTotal link:  https://www.virustotal.com/en/file/f1ef15f1b72f28fce6503a4ad8019da8a5381899722bd48cf96884524e862d8e/analysis/

File name:  temp3344485282.exe
VirusTotal link:  https://www.virustotal.com/en/file/0c7d822bad3d639f58717fcb75008e0beb10945d0f149d2249d7aae435212fdf/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-16 04:43:33 UTC - 67.196.3.67:80 - 192.168.204.211:49219 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013
• 2014-04-16 04:43:36 UTC - 67.196.3.67:80 - 192.168.204.211:49223 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
• 2014-04-16 04:43:45 UTC - 67.196.3.67:80 - 192.168.204.211:49229 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
• 2014-04-16 04:43:45 UTC - 67.196.3.67:80 - 192.168.204.211:49229 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 2014-04-16 04:43:45 UTC - 67.196.3.67:80 - 192.168.204.211:49228 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-16 04:43:45 UTC - 192.168.204.211:49225 - 67.196.3.67:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-04-16 04:43:45 UTC - 192.168.204.211:49229 - 67.196.3.67:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013
• 2014-04-16 04:43:45 UTC - 67.196.3.67:80 - 192.168.204.211:49225 - ET CURRENT_EVENTS Possible J7u21 click2play bypass
• 2014-04-16 04:43:45 UTC - 67.196.3.67:80 - 192.168.204.211:49225 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass
• 2014-04-16 04:43:46 UTC - 192.168.204.211:49236 - 67.196.3.67:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request
• 2014-04-16 04:43:49 UTC - 192.168.204.211:49242 - 79.142.66.240:80 - ET TROJAN Simda.C Checkin
• 2014-04-16 04:43:52 UTC - 109.227.123.84:80 - 192.168.204.211:49244 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
• 2014-04-16 04:43:52 UTC - 192.168.204.211:49245 - 94.251.98.15:80 - ET INFO Exectuable Download from dotted-quad Host
• 2014-04-16 04:43:52 UTC - 109.227.123.84:80 - 192.168.204.211:49244 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-16 04:43:52 UTC - 109.227.123.84:80 - 192.168.204.211:49244 - ET INFO EXE - Served Attached HTTP
• 2014-04-16 04:43:53 UTC - 109.227.123.84:80 - 192.168.204.211:49244 - GPL SHELLCODE x86 NOOP
• 2014-04-16 04:43:55 UTC - 94.251.98.15:80 - 192.168.204.211:49245 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-04-16 04:43:55 UTC - 94.251.98.15:80 - 192.168.204.211:49245 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
• 2014-04-16 04:43:55 UTC - 94.251.98.15:80 - 192.168.204.211:49245 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-16 04:44:07 UTC - 193.32.14.186:80 - 192.168.204.211:49249 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-04-16 04:44:07 UTC - 193.32.14.186:80 - 192.168.204.211:49249 - ET TROJAN Suspicious double Server Header
• 2014-04-16 04:44:07 UTC - 193.32.14.186:80 - 192.168.204.211:49249 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
• 2014-04-16 04:44:07 UTC - 193.32.14.186:80 - 192.168.204.211:49249 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-16 04:44:32 UTC - 192.168.204.211:49263 - 185.13.32.67:80 - ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC Beacon
• 2014-04-16 04:45:07 UTC - 192.168.204.211:49276 - 212.75.6.27:80 - ET TROJAN Win32/Kelihos.F Checkin
• 2014-04-16 04:46:08 UTC - 212.75.6.27:80 - 192.168.204.211:49276 - ET TROJAN Suspicious double Server Header
• 2014-04-16 04:46:28 UTC - 181.46.31.121:80 - 192.168.204.211:49290 - ET TROJAN Suspicious double Server Header
• 2014-04-16 04:46:58 UTC - 213.231.6.196:80 - 192.168.204.211:49881 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement
• 2014-04-16 04:46:58 UTC - 192.168.204.211:49881 - 213.231.6.196:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon
• 2014-04-16 05:18:48 UTC - 192.168.204.211:56448 - 213.231.6.196:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon


• NOTE: I also saw events on SMTP traffic (not included here) indicating my infected host was being used to send spam/malware.

 

SCREENSHOTS FROM THE TRAFFIC

www.deportan.com.mx (Compromised website) to ironsportsbook.com (First redirect):

 

www.ironsportsbook.com (First redirect) to str420.wha.la (Second redirect):

 

str420.wha.la (Second redirect) to Magnitude EK:

 

All of the malware payloads were obfuscated.  The binaries were XOR-ed with 0x29, the ASCII character ")", as shown below:

 

An example of the spam that was briefly sent from my infected host.  The mail has a spoofed sender and spoofed sending IP address:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPS:  2014-04-16-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-16-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.