2014-05-02 - MAGNITUDE EK FROM 193.169.245.11 - NAUGHTYGAINING.NET

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-05-02-Magnitude-EK-traffic.pcap.zip

NOTES:

• This one's a relatively quick post for situational awareness.  I didn't extract or deobfuscate any of the malware from the PCAP.
• My previous entry on Angler EK had a click fraud-style trojan, and one of the fake search sites was the10search.net.
• That site returned an .htaccess style 302 redirect to Magnitude EK.
• I typed the fake search site's domain name into a web browser, and it took me there--no referrer was needed.

PREVIOUS MAGNITUDE EK:

• 2014-01-14 - Magnitude EK from 66.55.140.115 - 73373e4.13f8.0caad.991f.004.a8a.5d1.1f0.sknhzkfjldkp.lunchdoors.pw
• 2014-03-12 - Magnitude EK from 67.196.49.168 - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces.pw
• 2014-03-23 - Magnitude EK from 67.196.50.153 - 27.e97a7fd.4e.15b.6f7.ca0726.6f2744.f70.pidzfnbzozvj.pendates.in
• 2014-03-25 - Magnitude EK from 67.196.50.155 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated.in
• 2014-04-14 - Magnitude EK from 67.196.3.65 - 9b5ef08.e9b.1c34d5.379b.0078.5638.0cd0.rpaitxocww.dumpequally.net
• 2014-04-15 - Magnitude EK from 67.196.3.66 - 44d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots.in
• 2014-04-16 - Magnitude EK from 67.196.3.67 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose.in
• 2014-04-17 - Magnitude EK from 67.196.3.69 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew.in
• 2014-04-26 - Magnitude EK from 193.169.245.5 - 2decc.1a9d.d3.f93b0bf.a9c.efe7f.64f6d5.yfbxhpbig.feelchips.in
• 2014-04-30 - Magnitude EK from 193.169.245.10 - 5cfe1.df.0572.77bbe0.d22.4a03.29246d.0c.hjyagwtu.safehe.in
• 2014-05-01 - Magnitude EK from 193.169.245.10 - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride.pw
• 2014-05-02 - Magnitude EK from 193.169.245.11 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 212.38.166.89 - the10search.net - Compromised website
• 193.169.245.11 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - Magnitude EK

COMPROMISED WEBSITE:

• 06:01:42 UTC - 212.38.166.89 - the10search.net - GET /

MAGNITUDE EK:

• 06:01:43 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /
• 06:01:48 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/38b33162224f59ebfc2dad03d288d790
• 06:01:50 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /favicon.ico
• 06:02:02 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/58702b843234284357c133ce034651db
• 06:02:02 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/ea967d07221e1d239ce7dcc3e5219489
• 06:02:03 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/ea967d07221e1d239ce7dcc3e5219489
• 06:02:03 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/58ed00f510627b5e0fffad4f0d28ebf1
• 06:02:03 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/58ed00f510627b5e0fffad4f0d28ebf1
• 06:02:04 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/ea967d07221e1d239ce7dcc3e5219489
• 06:02:05 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/ea967d07221e1d239ce7dcc3e5219489
• 06:02:05 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/0
• 06:02:06 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/qz.class
• 06:02:07 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/qz.class
• 06:02:08 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/qz.class
• 06:02:08 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/1
• 06:02:09 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/qz.class
• 06:02:09 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/2
• 06:02:10 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/3
• 06:02:13 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/4
• 06:02:19 - c462.81d9.3b311.283f0fd.3f5ea.966.8d.99.qqmytmmh.naughtygaining.net - GET /9f4f573499a11745c24548eb934e4496/5

SOME OF THE POST-INFECTION TRAFFIC:

• 06:02:14 UTC - 46.160.212.27 - biobetic-new.com - GET /b/shoe/749634
• 06:02:16 UTC - 46.160.212.27 - biobetic-new.com - GET /b/shoe/749634
• 06:02:23 UTC - 46.160.212.27 - biobetic-new.com - GET /b/shoe/749634
• 06:02:27 UTC - 46.160.212.27 - revolution-start.com - GET /components-i75.89/jquery/   [Repeats several times]
• 06:03:42 UTC - 173.194.127.240 - www.google.com - GET /
• 06:03:46 UTC - 108.59.251.118 - aoneteleshop.com - GET /images/dummy/heap170id3.exe

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-02 06:01:44 UTC - 193.169.245.11:80 - 192.168.204.211:49213 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013
• 2014-05-02 06:01:49 UTC - 193.169.245.11:80 - 192.168.204.211:49214 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
• 2014-05-02 06:02:02 UTC - 192.168.204.211:49217 - 193.169.245.11:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-05-02 06:02:02 UTC - 192.168.204.211:49217 - 193.169.245.11:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013
• 2014-05-02 06:02:03 UTC - 193.169.245.11:80 - 192.168.204.211:49217 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass
• 2014-05-02 06:02:03 UTC - 193.169.245.11:80 - 192.168.204.211:49217 - ET CURRENT_EVENTS Possible J7u21 click2play bypass
• 2014-05-02 06:02:04 UTC - 193.169.245.11:80 - 192.168.204.211:49221 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
• 2014-05-02 06:02:04 UTC - 193.169.245.11:80 - 192.168.204.211:49221 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 2014-05-02 06:02:04 UTC - 193.169.245.11:80 - 192.168.204.211:49221 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-05-02 06:02:05 UTC - 192.168.204.211:49224 - 193.169.245.11:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request
• 2014-05-02 06:03:42 UTC - 192.168.204.211:49248 - 173.194.127.240:80 - ET TROJAN Possible Zeus GameOver Connectivity Check
• 2014-05-02 06:03:46 UTC - 192.168.204.211:49251 - 108.59.251.118:80 - ET TROJAN GENERIC Zbot Based Loader
• 2014-05-02 06:03:46 UTC - 108.59.251.118:80 - 192.168.204.211:49251 - ET POLICY PE EXE or DLL Windows file download

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-05-02-Magnitude-EK-traffic.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.