2014-04-17 - MAGNITUDE EK FROM 67.196.3.69 - REFERREDKNEW.IN

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-17-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-17-Magnitude-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 159.253.36.77 - hayatmersin.com - Compromised website
• 31.210.48.79 - anadoluengellilerkenti.com - First redirect
• 50.28.15.25 - cafenoirproductions.com - Second redirect
• 67.196.3.69 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - Magnitude EK
• Various domains for the callback traffic

COMPROMISED WEBSITE AND REDIRECTS:

• 05:22:08 UTC - hayatmersin.com - GET /
• 05:22:13 UTC - anadoluengellilerkenti.com - GET /img/trans/
• 05:22:14 UTC - cafenoirproductions.com - GET /wp-content/rotr/

MAGNITUDE EK:

• 05:22:15 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /
• 05:22:18 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/24028a1ac73005f8ed38db2e656a8f10
• 05:22:21 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/e53be45a5d4a791f0936773a59f71450
• 05:22:21 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/5a24527dea18801e3b8708bb8a4f1500
• 05:22:21 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/e53be45a5d4a791f0936773a59f71450
• 05:22:21 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/b3f556c206b80a30d36c7eaf053e8aef
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/b3f556c206b80a30d36c7eaf053e8aef
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/e53be45a5d4a791f0936773a59f71450
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/e53be45a5d4a791f0936773a59f71450
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/0
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/lazih.class
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/lazih.class
• 05:22:22 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/1
• 05:22:23 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/2
• 05:22:24 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/3
• 05:22:24 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/4
• 05:22:25 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in - GET /22bf3169828b6b36a0876c12d3344e21/5

SOME OF THE CALLBACK TRAFFIC:

• 05:22:23 UTC - 188.239.95.93 - unuse-bubler.com - GET /b/shoe/54675
• 05:22:24 UTC - 188.239.95.93 - unuse-bubler.com - GET /b/shoe/54675
• 05:22:25 UTC - 79.142.66.240 - report.ce55ku55iqg5iqg.com - GET /?q1wS3131=%96%97%A1%A2[long string of characters]
• 05:22:25 UTC - 5.149.248.153 - report.ce55ku55iqg5iqg.com - POST /
• 05:22:25 UTC - 5.149.248.153 - update1.biix9yc.com - GET /?yi=kaehl5LVyWiRlMufqmzfx2OT1c%2BopcXCqsqXkM[string of characters]
• 05:22:26 UTC - 79.142.66.240 - report.ce55ku55iqg5iqg.com - GET /?sK7yWS43=%96%97%A1%A2[long string of characters]
• 05:22:26 UTC - 79.142.66.240 - report.ce55ku55iqg5iqg.com - GET /?eI79q120=%96%97%A1%A2[long string of characters]
• 05:22:26 UTC - 79.142.66.240 - report.ce55ku55iqg5iqg.com - GET /?o7oC1s12=%96%97%A1%A2[long string of characters]
• 05:22:45 UTC - 178.209.76.179 - GET /mod1/5minut1.exe
• 05:22:53 UTC - 37.57.12.211 - GET /mod2/5minut1.exe
• 05:22:56 UTC - 79.142.66.240 - report.i5qgmy5ceiqg5iq.com - GET /?55i5qGM31=%96%97%A1%A2[long string of characters]
• 05:22:56 UTC - 5.149.248.153 - report.i5qgmy5ceiqg5iq.com - POST /
• 05:22:56 UTC - 5.149.248.153 - update.jstn26gi89r.com - GET /?gs=kaehl5LVyWXNpdakZGnNzW1p2JCWpM7WpsnH1[string of characters]
• 05:22:56 UTC - 79.142.66.240 - report.i5qgmy5ceiqg5iq.com - GET /?uOC3s743=%96%97%A1%A2[long string of characters]
• 05:22:57 UTC - 79.142.66.240 - report.i5qgmy5ceiqg5iq.com - GET /?9g1iQ3w20=%96%97%A1%A2[long string of characters]
• 05:22:57 UTC - 79.142.66.240 - report.i5qgmy5ceiqg5iq.com - GET /?9k17g3i12=%96%97%A1%A2[long string of characters]
• 05:24:07 UTC - 89.45.5.97 - GET /install.htm
• 05:24:08 UTC - 89.45.5.97 - GET /search.htm
• 05:24:21 UTC - 89.45.5.97 - gorotza.biz - GET /page_umax.php
• 05:25:13 UTC - 61.228.88.98 - GET /install.htm
• 05:25:35 UTC - 74.50.103.92 - GET /d/4wo5u8re22/510c92deaa8889e409a8125457047ddb/AA/0

 

PRELIMINARY MALWARE ANALYSIS

Java exploit - updated on 2014-04-17

File name:  2014-04-17-Magnitude-EK-java-exploit.jar
File size:  12.5 KB ( 12767 bytes )
MD5 hash:  6754ef2a19d785cb444946acf0f23a63
Detection ratio:  3 / 51
First submission:  2014-04-17 08:14:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/45b864d5d0005b82a58bac091bded3b84909878cc4287e84d7567ccb998fa2fd/analysis/

 

Like yesterday, the malware payloads all had to be de-obfuscated after extracting from the PCAP, because they were XOR-ed with 0x29 (see the screen shots section for a visual).

File name:  2014-04-17-Magnitude-EK-malware-payload-01.exe  -  MD5 hash: 9d3c3183848beb75ebdabe0e7795422c

• https://www.virustotal.com/en/file/23b501cf14c11d29b7846cd9da2c98f628e63d321efa1c91b32bef66502d8d6d/analysis/

 

File name:  2014-04-17-Magnitude-EK-malware-payload-02.exe  -  MD5 hash: dc3ebbc1adc63fece63d7635f6efccb0

• https://www.virustotal.com/en/file/0c676b964c45423e5a61dbff670fe8e179c9411a253cd9b6b4af4fde7886305c/analysis/

 

File name:  2014-04-17-Magnitude-EK-malware-payload-03.exe  -  MD5 hash: 3a12bd5fbaacce5c8a28a0cb7ff120db

• https://www.virustotal.com/en/file/00df86e59480aa3f03fb080cf04b7e8ca011387344fcd1fda72fbf87af18dd23/analysis/

 

File name:  2014-04-17-Magnitude-EK-malware-payload-04.exe  -  MD5 hash: 74b5d99b8e2e52ec4867a9675240921c (same one seen yesterday)

• https://www.virustotal.com/en/file/4efcce91f347353e159e04c2c579fa032a7613861a460fbb1b42496d1fea3097/analysis/

 

File name:  2014-04-17-Magnitude-EK-malware-payload-05.exe  -  MD5 hash: 875e564cec70f315be73eddf4a539f97

• https://www.virustotal.com/en/file/0d78a110d6cc035a48f28b6e7c81666e2fca5caa3075033720113e37842d109e/analysis/

 

File name:  2014-04-17-Magnitude-EK-malware-payload-06.exe  -  MD5 hash: d9bb863da6a9f77913bd6c242b7b22ac

• https://www.virustotal.com/en/file/1b07ab77d89b6d8966f924ac1fa53ff1d5b23cec301d031edcbffc789e22f99e/analysis/

 

Follow-up downloads during the post-infection traffic:

File name:  5minut1.exe  -  MD5 hash: 1bb4c583d6d233670aff17d9face62f9

• https://www.virustotal.com/en/file/1a73407980e20ee14b5738367c837f30448ca4843b7a96ecd4c9983deedc62e0/analysis/

 

File name:  5minut1-second-time.exe  -  MD5 hash: e92d600fc640f29c03c42073a9bda0d6

• https://www.virustotal.com/en/file/b356bc33474c9da6aa141f518b86c0d927063c55d720043243e6d7b1413ff914/analysis/
• NOTE: This malware acts like what I've seen in the Expiro family of file infectors.  I connected a USB key to the infected host, and a file with the same hash was copied to the USB drive as a hidden file named porn.exe.  There was also a link file pointing to it disguised as a folder named porn.  Here is the Microsoft summary of Expiro, which gives a good description of its behavior.

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-17 05:22:18 UTC - 67.196.3.69:80 - 192.168.1.107:49697 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
• 014-04-17 05:22:21 UTC - 192.168.1.107:49698 - 67.196.3.69:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-04-17 05:22:21 UTC - 192.168.1.107:49698 - 67.196.3.69:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013
• 2014-04-17 05:22:21 UTC - 67.196.3.69:80 - 192.168.1.107:49699 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass
• 2014-04-17 05:22:21 UTC - 67.196.3.69:80 - 192.168.1.107:49699 - ET CURRENT_EVENTS Possible J7u21 click2play bypass
• 2014-04-17 05:22:22 UTC - 67.196.3.69:80 - 192.168.1.107:49701 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
• 2014-04-17 05:22:22 UTC - 67.196.3.69:80 - 192.168.1.107:49701 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 2014-04-17 05:22:22 UTC - 67.196.3.69:80 - 192.168.1.107:49701 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-17 05:22:22 UTC - 192.168.1.107:49705 - 67.196.3.69:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request
• 2014-04-17 05:22:25 UTC - 192.168.1.107:49715 - 79.142.66.240:80 - ET TROJAN Simda.C Checkin
• 2014-04-17 05:22:45 UTC - 192.168.1.107:49730 - 178.209.76.179:80 - ET INFO Exectuable Download from dotted-quad Host
• 2014-04-17 05:22:45 UTC - 192.168.1.107:49730 - 178.209.76.179:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure 2
• 014-04-17 05:22:45 UTC - 178.209.76.179:80 - 192.168.1.107:49730 - ET TROJAN Suspicious double Server Header
• 014-04-17 05:22:45 UTC - 178.209.76.179:80 - 192.168.1.107:49730 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-04-17 05:22:45 UTC - 178.209.76.179:80 - 192.168.1.107:49730 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-17 05:23:08 UTC - 37.57.12.211:80 - 192.168.1.107:49735 - ET TROJAN Suspicious double Server Header
• 2014-04-17 05:23:08 UTC - 37.57.12.211:80 - 192.168.1.107:49735 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-04-17 05:23:08 UTC - 37.57.12.211:80 - 192.168.1.107:49735 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-17 05:23:08 UTC - 37.57.12.211:80 - 192.168.1.107:49735 - GPL SHELLCODE x86 NOOP
• 2014-04-17 05:24:07 UTC - 192.168.1.107:49766 - 89.45.5.97:80 - ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System
• 2014-04-17 05:24:07 UTC - 192.168.1.107:49766 - 89.45.5.97:80 - ET TROJAN Win32/Kelihos.F Checkin
• 2014-04-17 05:24:08 UTC - 89.45.5.97:80 - 192.168.1.107:49766 - ET TROJAN Suspicious double Server Header

 

SCREENSHOTS FROM THE TRAFFIC

hayatmersin.com (Compromised website) to anadoluengellilerkenti.com (First redirect):

 

anadoluengellilerkenti.com (First redirect) to cafenoirproductions.com (Second redirect):

 

cafenoirproductions.com (Second redirect) to Magnitude EK:

 

Like yesterday, all of the malware payloads were obfuscated.  The binaries were XOR-ed with 0x29, the ASCII character ")", as shown below:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-17-Magnitude-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-17-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.