2014-06-17 - MAGNITUDE EK FROM 212.38.166.94 - 6BA2A.20B.3A2.B0C.8DAB84.7DA44C1.89C.57.MUPQSUAR.INTOENGINEERED.IN

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-17-Magnitude-EK-both-pcaps.zip
• ZIP of the malware:  2014-06-17-Magnitude-EK-malware.zip

NOTES:

• On 2014-06-09, Malwageddon tweeted about bankofbotswana.bw possibly being compromised (link to the tweet).
• The tweet includes a Pastebin link that shows a malicious iframe in the HTML from that site pointing to Magnitude EK.
• Today, I was able to generate Magnitude EK traffic by visiting the site using a vulnerable VM.

• The first run used a Windows 7 VM running IE 8 and Java 6 update 25--it was infected through a CVE-2013-2551 MSIE exploit.
• The second run used a Windows 7 VM running IE 11 and Java 7 update 15--it was infected through a Java exploit.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 83.143.28.94 - www.bankofbotswana.bw - Original referer
• 194.254.173.148 - wilfredcostume.bamoon.com - Redirect during first run
• 194.254.173.148 - kirkasvalolamput.bamoon.com - Redirect during second run
• 212.38.166.94 - da0.11e6f9.ed788e.86e9813.dfbea3.bf8.e.kjeupkfho.saysprice.in - Magnitude EK during first run
• 212.38.166.94 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - Magnitude EK during second run
• Various IP addresses - various domain names - Post-infection traffic (see below)

 

FIRST RUN INFECTION CHAIN:

• 15:32:20 UTC - www.bankofbotswana.bw - GET /
• 15:32:24 UTC - wilfredcostume.bamoon.com - GET /themes/index.php?id=aHR0cDovL2RhMC4xMWU2ZjkuZWQ3ODhlLjg2ZTk4MTMuZGZiZWEzLmJmOC5lLmtqZXVwa2Z
  oby5zYXlzcHJpY2UuaW4v
• 15:32:24 UTC - da0.11e6f9.ed788e.86e9813.dfbea3.bf8.e.kjeupkfho.saysprice.in - GET /
• 15:32:26 UTC - da0.11e6f9.ed788e.86e9813.dfbea3.bf8.e.kjeupkfho.saysprice.in - GET /ccca84ca1647fb8675e0f00dfb227559/575220d2ec66ff3183d5b56cad04c55a
• 15:32:28 UTC - 212.38.166.94 - GET /?1f0f1e3953a9207b49fd0bf1c43e1f51
• 15:32:30 UTC - 212.38.166.94 - GET /?73526b1141662a67069bde856423c7a4
• 15:32:30 UTC - 212.38.166.94 - GET /?905b2039a9ddcdbc1f29cb9406ac0bdc
• 15:32:30 UTC - 212.38.166.94 - GET /?41bcee83a0ce4455364519551cfb1e5f
• 15:32:32 UTC - 212.38.166.94 - GET /?b8cf36726415eaa3808e6c32bc7c63d4
• 15:32:32 UTC - 212.38.166.94 - GET /?99c29058414480926938365820c30669

FIRST RUN POST-INFECTION TRAFFIC:

• 15:32:32 UTC - 172.16.165.223:49187 - 64.233.168.106:80 - www.google.com - GET /
• 15:32:32 UTC - 172.16.165.223:49188 - 198.52.160.123:80 - kuqqqgskcsmkgyai.org - POST /
• 15:32:33 UTC - 172.16.165.223:49190 - 91.222.245.236:80 - carbon-flx.su - GET /b/shoe/749634
• 15:32:38 UTC - 172.16.165.223:49191 - 212.79.125.15:80 - orion-baet.su - GET /pho-caguestbook-http/jquery/
• 15:35:07 UTC - 172.16.165.223:49157 - 31.43.162.40:80 - orion-baet.su - GET /uni-terevolutionq-http/soft32.dll
• 15:35:17 UTC - 172.16.165.223:49159 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=C4732028000002A4001F000100D36B36
• 15:35:17 UTC - 172.16.165.223:49160 - 96.251.112.2:80 - vision-vaper.su - GET /b/eve/a4011d30c6660a5ec14615a6
• 15:35:19 UTC - 172.16.165.223:49159 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=C4732028000002A4001F0001027D0CB4
• 15:35:22 UTC - 172.16.165.223:49161 - 78.153.149.219:80 - 78.153.149.219 - POST /work/1.php?sid=C4732028000002A4001F0001027D0CB4
• 15:35:24 UTC - 172.16.165.223:49162 - 195.130.192.65:80 - manulizza.com - POST /work/1.php?sid=C4732028000002A4001F0001027D0CB4
• 15:35:25 UTC - 172.16.165.223:49159 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=C4732028000002A4001F0001026D3486
• 15:35:26 UTC - 172.16.165.223:49163 - 195.130.192.65:80 - 195.130.192.65 - POST /work/1.php?sid=C4732028000002A4001F0001027D0CB4
• 15:35:27 UTC - 172.16.165.223:49161 - 78.153.149.219:80 - 78.153.149.219 - POST /work/1.php?sid=C4732028000002A4001F0001026D3486
• 15:35:29 UTC - 172.16.165.223:49162 - 195.130.192.65:80 - manulizza.com - POST /work/1.php?sid=C4732028000002A4001F0001026D3486
• 15:35:31 UTC - 172.16.165.223:49164 - 195.130.192.91:80 - kopirabus.com - POST /work/1.php?sid=C4732028000002A4001F0001027D0CB4
• 15:35:34 UTC - 172.16.165.223:49163 - 195.130.192.65:80 - 195.130.192.65 - POST /work/1.php?sid=C4732028000002A4001F0001026D3486
• 15:35:34 UTC - 172.16.165.223:49165 - 195.130.192.91:80 - 195.130.192.91 - POST /work/1.php?sid=C4732028000002A4001F0001027D0CB4
• 15:35:36 UTC - 172.16.165.223:49164 - 195.130.192.91:80 - kopirabus.com - POST /work/1.php?sid=C4732028000002A4001F0001026D3486
• 15:35:38 UTC - 172.16.165.223:49165 - 195.130.192.91:80 - 195.130.192.91 - POST /work/1.php?sid=C4732028000002A4001F0001026D3486
• 15:36:07 UTC - 172.16.165.223:49167 - 176.100.173.132:80 - vision-vaper.su - POST /b/opt/81F143E709D9FCD16BBEEBBF
• 15:36:14 UTC - 172.16.165.223:49168 - 176.100.173.132:80 - vision-vaper.su - POST /b/opt/81F143E709D9FCD16BBEEBBF
• 15:36:18 UTC - 172.16.165.223:49169 - 64.233.168.99:80 - www.google.com - GET /
• 15:36:28 UTC - 172.16.165.223:49171 - 188.0.86.194:80 - valoherusn.su - POST /b/opt/81F143E709D9FCD16BBEEBBF
• 15:36:31 UTC - 172.16.165.223:49172 - 188.0.86.194:80 - valoherusn.su - GET /b/letr/78732D3860F67A3702916D59
• 15:36:33 UTC - 172.16.165.223:49173 - 173.255.241.19:8080 - 173.255.241.19:8080 - POST /b/opt/A80E785C5FDD937F3DBA8411
• 15:36:51 UTC - 172.16.165.223:49174 - 173.255.241.19:8080 - 173.255.241.19:8080 - POST /b/req/7FE18972B5BB404BD7DC5725
• 15:36:53 UTC - 172.16.165.223:49176 - 173.255.241.19:8080 - 173.255.241.19:8080 - GET /b/eve/963ef5c0f459e2aeb85ab114
• 15:36:53 UTC - 172.16.165.223:49175 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=C4732028000002A4001F0001007479B2
• 15:37:50 UTC - 172.16.165.223:49177 - 173.255.241.19:8080 - 173.255.241.19:8080 - POST /b/req/F458562A4247DE582020C936
• 15:37:51 UTC - 172.16.165.223:49178 - 173.255.241.19:8080 - 173.255.241.19:8080 - GET /b/eve/100efe487269e9261e15688b
• 15:37:51 UTC - 172.16.165.223:49179 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=C4732028000002A4001F000100177A4D
• 15:39:27 UTC - 172.16.165.223:49181 - 109.86.83.167:80 - vision-vaper.su - GET /b/eve/b83fcfc9da58d8a791db66ae

 

SECOND RUN INFECTION CHAIN:

• 22:45:39 - www.bankofbotswana.bw - GET /
• 22:45:41 - kirkasvalolamput.bamoon.com - GET /themes/index.php?id=aHR0cDovLzZiYTJhLjIwYi4zYTIuYjBjLjhkYWI4NC43ZGE0NGMxLjg5Yy41Ny5tdXBxc3Vhci5pbnRvZ
  W5naW5lZXJlZC5pbi8=
• 22:45:43 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /
• 22:45:46 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/d5b249f04f93ea5924e4df1856c06af2
• 22:45:54 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/33d8e742ea9d368fa21877408d6df895
• 22:45:54 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/ecdcc4fa138ad80f6783ec60945e002c
• 22:45:55 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/33d8e742ea9d368fa21877408d6df895
• 22:45:55 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/9b7e5d41d6e41cc1a9d15313ed5f89b2
• 22:45:55 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/9b7e5d41d6e41cc1a9d15313ed5f89b2
• 22:45:56 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/33d8e742ea9d368fa21877408d6df895
• 22:45:57 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/0
• 22:45:57 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/33d8e742ea9d368fa21877408d6df895
• 22:45:58 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/qbti.class
• 22:45:59 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/qbti.class
• 22:46:00 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/1
• 22:46:01 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/2
• 22:46:02 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/3
• 22:46:05 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/4
• 22:46:06 - 6ba2a.20b.3a2.b0c.8dab84.7da44c1.89c.57.mupqsuar.intoengineered.in - GET /3ee4edbba456379ba4f1e2f81f6fd5bc/5

SECOND RUN POST-INFECTION TRAFFIC:

• 22:46:00 UTC - 172.16.165.135:49366 - 173.194.127.147:80 - www.google.com - GET /
• 22:46:06 UTC - 172.16.165.135:49372 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:09 UTC - 172.16.165.135:49373 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:15 UTC - 172.16.165.135:49374 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:19 UTC - 172.16.165.135:49375 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:25 UTC - 172.16.165.135:49378 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:26 UTC - 172.16.165.135:49379 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:32 UTC - 172.16.165.135:49380 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:36 UTC - 172.16.165.135:49381 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:54 UTC - 172.16.165.135:49382 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:54 UTC - 172.16.165.135:49385 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=D5890813000002A4001F000100147A2B
• 22:46:55 UTC - 172.16.165.135:49386 - 212.2.132.4:80 - carbon-flx.su - GET /b/shoe/749634
• 22:46:58 UTC - 172.16.165.135:49385 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=D5890813000002A4001F000102B7558A
• 22:46:58 UTC - 172.16.165.135:49387 - 31.134.211.124:80 - orion-baet.su - GET /pho-caguestbook-http/jquery/
• 22:47:01 UTC - 172.16.165.135:49388 - 78.153.149.219:80 - 78.153.149.219 - POST /work/1.php?sid=D5890813000002A4001F000102B7558A
• 22:47:03 UTC - 172.16.165.135:49385 - 78.153.149.219:80 - efuelia.com - POST /work/1.php?sid=D5890813000002A4001F000102181885
• 22:47:04 UTC - 172.16.165.135:49389 - 195.130.192.65:80 - manulizza.com - POST /work/1.php?sid=D5890813000002A4001F000102B7558A
• 22:47:05 UTC - 172.16.165.135:49388 - 78.153.149.219:80 - 78.153.149.219 - POST /work/1.php?sid=D5890813000002A4001F000102181885
• 22:47:07 UTC - 172.16.165.135:49390 - 195.130.192.65:80 - 195.130.192.65 - POST /work/1.php?sid=D5890813000002A4001F000102B7558A
• 22:47:07 UTC - 172.16.165.135:49389 - 195.130.192.65:80 - manulizza.com - POST /work/1.php?sid=D5890813000002A4001F000102181885
• 22:47:10 UTC - 172.16.165.135:49390 - 195.130.192.65:80 - 195.130.192.65 - POST /work/1.php?sid=D5890813000002A4001F000102181885
• 22:47:10 UTC - 172.16.165.135:49391 - 195.130.192.91:80 - kopirabus.com - POST /work/1.php?sid=D5890813000002A4001F000102B7558A
• 22:47:12 UTC - 172.16.165.135:49391 - 195.130.192.91:80 - kopirabus.com - POST /work/1.php?sid=D5890813000002A4001F000102181885
• 22:47:13 UTC - 172.16.165.135:49392 - 195.130.192.91:80 - 195.130.192.91 - POST /work/1.php?sid=D5890813000002A4001F000102B7558A
• 22:47:15 UTC - 172.16.165.135:49393 - 195.130.192.91:80 - 195.130.192.91 - POST /work/1.php?sid=D5890813000002A4001F000102181885

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOADS - FIRST RUN:

• Malware payload 1 of 4:   2014-06-17-Magnitude-EK-malware-payload-01.exe - MD5: 8421ecf25721bd8db0e81bfa05bda415 - Virus total link - Malwr link
• Malware payload 2 of 4:   2014-06-17-Magnitude-EK-malware-payload-02.exe - MD5: 090ac2accf44815f968372e6494c21d2 - Virus total link - Malwr link
• Malware payload 3 of 4:   2014-06-17-Magnitude-EK-malware-payload-03.exe - MD5: 4e565f52889de176ef53a13727e41225 - Virus total link - Malwr link
• Malware payload 4 of 4:   2014-06-17-Magnitude-EK-malware-payload-04.exe - MD5: 8c5c2217841c4dc8f4917f5f26c06022 - Virus total link - Malwr link
• Asprox-style malware:   UpdateFlashPlayer_dadb2a1a.exe - MD5: 0c5bf59dccba0c8b81f348db4924a1ab - Virus total link - Malwr link

 

MALWARE PAYLOADS - SECOND RUN:

• Malware payload 1 of 3:   2014-06-17-Magnitude-EK-malware-payload-04.exe - MD5: 8c5c2217841c4dc8f4917f5f26c06022 - NOTE: same as 4 of 4 during first run.
• Malware payload 2 of 3:   2014-06-17-Magnitude-EK-malware-payload-05.exe - MD5: 1df09304da7582cd2135d14401753c8b - Virus total link - Malwr link
• Malware payload 3 of 3:   2014-06-17-Magnitude-EK-malware-payload-06.exe - MD5: 3dcd12a84928b7fa4c6f09282a6d4491 - Virus total link - Malwr link
• Asprox-style malware:   UpdateFlashPlayer_398254f1.exe - MD5: 7762de49008c15c8814e575349ec8e99 - Virus total link - Malwr link

 

JAVA EXPLOIT FROM THE SECOND RUN:

File name:  2014-06-17-Magnitude-EK-java-exploit.jar
File size:  13.6 KB ( 13942 bytes )
MD5 hash:  eed92670882f368ecf45f5dfc726375b
Detection ratio:  2 / 53
First submission:  2014-06-18 00:09:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6670b0beb22dc781d780e7f67066e552efe6942d539decc4dc338a40fe434d9/analysis/

 

SNORT EVENTS - FIRST RUN

Emerging Threats and ETPRO rulesets:

• 212.38.166.94:80 - 172.16.165.223:49180 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 (sid:2017602)
• 212.38.166.94:80 - 172.16.165.223:49181 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK (sid:2017849)
• 172.16.165.223:49182 - 212.38.166.94:80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013 (sid:2017694)
• 172.16.165.223:49182 - 212.38.166.94:80 - ET CURRENT_EVENTS NeoSploit - TDS (sid:2015665)
• 212.38.166.94:80 - 172.16.165.223:49182 - ET MALWARE Possible Windows executable sent when remote host claims to send html content (sid:2009897)
• 172.16.165.223:49190 - 91.222.245.236:80 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2807742)
• 212.79.125.15:80 - 172.16.165.223:49191 - ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid:2018572)
• 212.79.125.15 :80- 172.16.165.223:49191 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 172.16.165.223:49192 - 85.17.138.170:53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
• 172.16.165.223:49160 - 96.251.112.2:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 96.251.112.2:80 - 172.16.165.223:49160 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 172.16.165.223:49167 - 176.100.173.132:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
• 172.16.165.223:49169 - 64.233.168.99:80 - ET TROJAN Zeus Bot Request to CnC (sid:2011588)
• 173.255.241.19:8080 - 172.16.165.223:49176 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 109.86.83.167:80 - 172.16.165.223:49181 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)

Sourcefire VRT ruleset:

• 212.38.166.94:80 - 172.16.165.223:49180 - EXPLOIT-KIT Multiple exploit kit landing page - specific structure (sid:26653)
• 212.38.166.94:80 - 172.16.165.223:49180 - EXPLOIT-KIT Magnitude exploit kit landing page (sid:30766)
• 172.16.165.223:49182 - 212.38.166.94:80 - EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (sid:29189)
• 212.38.166.94:80 - 172.16.165.223:49182 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• 212.79.125.15:80 - 172.16.165.223:49191 - MALWARE-CNC Win.Trojan.Dofoil outbound connection (sid:28809)
• 172.16.165.223:49192 - 85.17.138.170:53 - MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (sid:28996)
• 172.16.165.223:49160 - 96.251.112.2:80 - MALWARE-CNC Win.Trojan.Cidox variant outbound connection (sid:29356)

NOTE: These Snort events were taken from Sguil on Security Onion

 

SNORT EVENTS - SECOND RUN

Emerging Threats and ETPRO rulesets:

• 212.38.166.94:80 - 172.16.165.135:49339 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 (sid:2017602)
• 212.38.166.94:80 - 172.16.165.135:49340 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK (sid:2017849)
• 172.16.165.135:49350 - 212.38.166.94:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013 (sid:2017603)
• 212.38.166.94:80 - 172.16.165.135:49349 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (sid:2016797)
• 212.38.166.94:80 - 172.16.165.135:49349 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)
• 212.38.166.94:80 - 172.16.165.135:49356 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 212.38.166.94:80 - 172.16.165.135:49356 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs (sid:2016540)
• 172.16.165.135:49361 - 212.38.166.94:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request (sid:2015888)
• 172.16.165.135:49372 - 212.2.132.4:80 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2807742)
• 31.134.211.124:80 - 172.16.165.135:49387 - ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid:2018572)
• 31.134.211.124:80 - 172.16.165.135:49387 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 172.16.165.135:49160 - 46.98.67.241:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 46.98.67.241:80 - 172.16.165.135:49160 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 172.16.165.135:49162 - 50.161.246.210:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)

Sourcefire VRT ruleset:

• 212.38.166.94:80 - 172.16.165.135:49339 - EXPLOIT-KIT Multiple exploit kit landing page - specific structure (sid:26653)
• 212.38.166.94:80 - 172.16.165.135:49339 - EXPLOIT-KIT Magnitude exploit kit landing page (sid:30766)
• 172.16.165.135:49350 - 212.38.166.94:80 - EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request (sid:30767)
• 212.38.166.94:80 - 172.16.165.135:49356 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 31.134.211.124:80 - 172.16.165.135:49387 - MALWARE-CNC Win.Trojan.Dofoil outbound connection (sid:28809)
• 172.16.165.135:49160 - 46.98.67.241:80 - MALWARE-CNC Win.Trojan.Cidox variant outbound connection (sid:29356)

 

HIGHLIGHTS FROM THE SECOND RUN

Embedded iframe in page from compromised website:

 

Redirect:

 

Magnitude EK delivers Java exploit:

 

EXE payloads (for each payload, every byte is XOR-ed with 0x1e):

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-17-Magnitude-EK-both-pcaps.zip
• ZIP of the malware:  2014-06-17-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.