2014-06-24 - MAGNITUDE EK - 64.187.226.178 - 1DF74E.A2B73.ABC.8E.CF29.FB.7D.BC.3DB9D2.UJMHCMJRSLOS.OCCURSDIRTY.IN

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-24-Magnitude-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-24-Magnitude-EK-malware.zip
• ZIP of CSV summary of the Fiddler results:  2014-06-24-Magnitude-EK-Fiddler-export.csv.zip

NOTES:

• CryptoWall was one of the malware payloads, using Bitcoin address 1GkBo7k4b1k7ehPYYqiY9jhGXPNCKtyEGi for the ransom payment.
• Today's CryptoWall sample is 2014-06-24-Magnitude-EK-malware-payload-1-of-6.exe, which I confirmed by executing the malware on a separate VM.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 64.187.226.178 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - Magnitude EK
• various IP addresses - various domains - Post-infection traffic (see below)

MAGNITUDE EK:

• 20:38:10 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - GET /
• 20:38:13 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - GET /4ca56dfe88c95a4f491771ead1814563/99db8f7f025fd9759edec05bf2528f03
• 20:38:13 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - GET /4ca56dfe88c95a4f491771ead1814563/dab8df1ceda43a09ec93bab7b90657cc
• 20:38:13 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - GET /4ca56dfe88c95a4f491771ead1814563/65e29c0d9b50d301aed8206d56108f86
• 20:38:14 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - GET /4ca56dfe88c95a4f491771ead1814563/99db8f7f025fd9759edec05bf2528f03
• 20:38:14 - 1df74e.a2b73.abc.8e.cf29.fb.7d.bc.3db9d2.ujmhcmjrslos.occursdirty.in - GET /4ca56dfe88c95a4f491771ead1814563/65e29c0d9b50d301aed8206d56108f86
• 20:38:15 - 64.187.226.178 - GET /?b1ad2c90313dfb41b784cf314b7b995b
• 20:38:16 - 64.187.226.178 - GET /?178738ff41f4d909a0d087008b95a6af
• 20:38:21 - 64.187.226.178 - GET /?afb785bfe5aee1c0fb82b09fc55b7487
• 20:38:27 - 64.187.226.178 - GET /?dacc9e9f8cfc3b6fd839bf3d0b11e379
• 20:38:32 - 64.187.226.178 - GET /?16a18f4ec8cbdf839fbaf536edf1019e
• 20:38:33 - 64.187.226.178 - GET /?d187dc05a0121ca1bd58281807d903d1

SOME OF THE POST-INFECTION TRAFFIC:

• 20:38:18 UTC - 199.127.225.232 - babyslutsnil.com - POST /jdi8pp82jb54d
• 20:38:21 UTC - 199.127.225.232 - babyslutsnil.com - POST /rwrvxeu9xjvn
• 20:38:24 UTC - 64.5.41.209 - axisdanceshoes.com - POST /
• 20:38:33 UTC - 176.41.114.36 - gummiringes.com - GET /b/shoe/749634
• 20:38:36 UTC - 199.127.225.232 - babyslutsnil.com - POST /3yzjsr8c2ikt3k1
• 20:38:39 UTC - 173.20.248.44 - orion-baet.su - GET /pho-caguest-book75.12/jquery/
• 20:38:40 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /tvbirkod.php?jacwsn=ToqOeZ6oqIw2Vq8u4ipX4A1GKm8TogRtoRTV24J8ERc1MVOsyAC+R27iun5+Z
  wC7kT2ZX8n1RGVjaVmbCEkIWSmIMjCW+Q9PTxtf+cwDdQ2mzoIXt//JYmtiOjpAMWJ1BIf3EAlx8mfdQ6BZ6ZXaUBbFxmGM3QRbh2aM+TwlqVARninVLIbp4Yb3xJXECa
  yeZtNmLr9N2VFyAHs+oJey+2hf5jx59Ig7GZznBDljElN=
• 20:38:41 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /cljjceq.php?uknd=hyQ/dL/XHqM9Tbcw7wtYR327NIhd774M0EioKtynJZ9jDcqu9MIYEOKLUBvE9mbDY
  3iqFrPMOxcxK8lalcJ5GSosxEl2HUqIf4GOeymh9AGqKscdcGqMBOThDrdSpGw61kY02BCvk5pUjc5S0Utam1UEa4Bj83UQzMXHiVBepb4z9qA/pSx6RCP+2HXWSAd/+G
  VlyWfRXOQye+NXDaSm0vKz8BCctZTp+s+LCC83IQ5le+chPWbr1if8RhjjYhA0
• 20:39:42 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /cuknjmxjr.php?tsuyep=nvHOEWntnQpbtcIxWW6510eoguCNY2w+N5lEiTmq7SAmpvyqa0WXETPYD02
  dZOcESI2sTZqPqj2G/9cO6I20rGTZ/PmW1AfUa17b2ZMpu+HWcDHNO38uu4Hx5oJaCY0GnBjvXifneqMfCpK3o5olMzpq3vfrgDVmwb2SHECkaTgtFJQ3wgGBveOWKInM
  f/WD4cpM8ITOLUyGLqtGv8bAd0Nu56P77tcGOi+ShnCj90Y8XlJhOPmw7I2yGcHGkhcT
• 20:40:43 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /ctlmvcn.php?xhmy=e2c4uk7LplmTqN2bpWCbQn27NIhd774M0EioKtynJZ9jDcqu9MIYEOKLUBvE9mbD
  Y3iqFrPMOxcxK8lalcJ5GSosxEl2HUqIf4GOeymh9AGcIpH4xVvgbXxCspwbdl//1kY02BCvk5pUjc5S0Utam1UEa4Bj83UQzMXHiVBepb4z9qA/pSx6RCP+2HXWSAd/+GVlyW
  fRXOQye+NXDaSm0vKz8BCctZTp+s+LCC83IQ5le+chPWbr1if8RhjjYhA0
• 20:40:55 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - POST /data.php?version=307027&user=e8d5a4592495fd4a9940cf3ef155f4d9&server=12&group=7&type=1&
  name=form
• 20:41:34 UTC - 178.74.205.243 - proactives-a.com - GET /pho-caguest-book75.12/ajax/
• 20:41:42 UTC - 176.124.0.28 - vision-vaper.su - GET /b/eve/05bc653567db725b6c2dbf87
• 20:41:44 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /cmhuiytxnb.php?rnbf=IfLBoLjuFuu+vM1X0fjpBvvxmwkofjJqEVlKYK8ZhkRl+7jxG5j85ftnUQM1EXxCywg
  pcxsMMycuEEOpkdWNhtLarSxSbq7lQl3GjaxvS/lzIrS2wwWzAc8Q4k4APvSkiXAv2onPqHpCcCviuMkkGJLcv8O6JoYfxl57WD0B1rP7KWWqkwL5+Ntu590Y5fHXZLzcXcvS
  GqufI75JLNP78PCTE6nPDAeE7QVQWz4v9VQ=
• 20:42:30 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /tmjdqbvi.php?ylhv=8XctJLc/g/M+TYuv/9dYv0eoguCNY2w+N5lEiTmq7SAmpvyqa0WXETPYD02dZOcE
  SI2sTZqPqj2G/9cO6I20rGTZ/PmW1AfUa17b2ZMpu+H7ASPVj1Vx85mqMN+cDaQbnBjvXifneqMfCpK3o5olMzpq3vfrgDVmwb2SHECkaTgtFJQ3wgGBveOWKInMf/WD4c
  pM8ITOLUyGLqtGv8bAd0Nu56P77tcGOi+ShnCj90Y8XlJhOPmw7I2yGcHGkhcT
• 20:42:30 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - POST /data.php?version=307027&user=e8d5a4592495fd4a9940cf3ef155f4d9&server=12&group=7&type=11
  &name=form
• 20:42:41 UTC - 176.124.0.28 - vision-vaper.su - POST /b/opt/6F7A49ACCECEA870ACA9BF1E
• 20:42:42 UTC - 176.124.0.28 - vision-vaper.su - GET /b/letr/99A0D25AC0812B23A2E63C4D
• 20:42:44 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /cbvgkuero.php?rjddufh=4T+voKNBdWHwESsBduwb8XjDBx5kb7uS49ueSIhN6BlbV31cIBf+CfpD2csfWt
  CdhgrqLdLW4FkNzdpG1kjn5nvzEgxDhTfSv0sBqtOgME6X/hqn8nOibCzpHO2Al+HlsiJIPVV7iPgvGEvVIEh2GckfJiSbOyOpfPXtvNwD2vmz5aV2Uv3BXjnfVOmISsVaW17cM
  lPoFwTTJWuLomHGOm8mYRdStFY9hAWcy7eA8QG=
• 20:43:38 UTC - 23.238.229.250 - 23.238.229.250 - GET /click.php?c=ec4987ea37b258fbaf9a668cbfff60f1af570458150bd6cc3878daa5657a9b406ea5120f74980aafebb
  2631d9a47c0c4aaf3236f1a4c15aede268458a41123444cbc931016608bc1d7fb710a2ae21d9d
• 20:43:42 UTC - 23.238.229.250 - 23.238.229.250 - GET /click.php?c=ec4987ea37b258fbaf9a668cbfff60f1f70e00651d36d08750249d90dade4b707a7b9ae0438c9d8b61f
  3778ad7eae4d6cb109555b0262cf0f6fa2ac69615616e5a7660e0b9c53479dd0fb5259076c427
• 20:43:44 UTC - 23.238.229.250 - 23.238.229.250 - GET /click.php?c=1b2bb69b2484119fc4e5c01e5d0761e06699c4b0df390e6ea0b2aa94d662b0a9eda02044f09b3cd6
  d512bb8cad393c18f14a2d132003f1ab2e8df5e8c420e5ff3fccbb07509f8fe32084af5aeb6fb6f5
• 20:43:46 UTC - 91.226.212.148 - r11-sn-a5m7mfrost.com - GET /chxjfsrsi.php?neg=aiHDVOGZYGLalUMedE6hchzLpY9y71+XJ9nHWARpjebLoh+4pAqjZrrN3Tbk/GxXR
  tFb71COfaE41VI0iHOcSyiW52p7X/cYobenXiiqW/viEZSXtDIqm9OySgWcQEX2WdXsT8TeD6bO7dneZzU2jw7eAzJvrC6ceTO28lyK6B7CkcBeA8OVw56SrdytKuM43pcIoO
  SOTjLJmM00syF0ome4AEAKZ/Vse0KOvwJ7ldx=
• 20:43:47 UTC - 23.238.229.250 - 23.238.229.250 - GET /click.php?c=1b2bb69b2484119fc4e5c01e5d0761e0aa11a1c3dc8b1601db327d0f6f8e348ddef6e456450fc3bf53
  aa19ce5eed7bd50cb6b5bf9024b56b51075e32e371931299217aae58ccab270373cc2590286907

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  06bbeb139df460527adfdf112a9acd7270817f28
File size:  13.5 KB ( 13820 bytes )
MD5 hash:  c2fef7dc598471f562f0c3ebf8409fd2
Detection ratio:  4 / 52
First submission:  2014-06-24 19:13:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d57d66f70e35c8f038d68472eef756483b95329335f20da0a518e51e08f5eb6/analysis/

 

MALWARE DOWNLOADED

• 2014-06-24-Magnitude-EK-malware-payload-1-of-6.exe   -   MD5 hash:  abce7956f155b43ae61aeb23143a4253   -   VirusTotal   -   Malwr
• 2014-06-24-Magnitude-EK-malware-payload-2-of-6.exe   -   MD5 hash:  2e10fbbe72a489d04b6a3fafb0e7012d   -   VirusTotal   -   Malwr
• 2014-06-24-Magnitude-EK-malware-payload-3-of-6.exe   -   MD5 hash:  4bb7fde37e5e78480801a8d5f7115044   -   VirusTotal   -   Malwr
• 2014-06-24-Magnitude-EK-malware-payload-4-of-6.exe   -   MD5 hash:  b7e7722eb97154e037f3864125b7a699   -   VirusTotal   -   Malwr
• 2014-06-24-Magnitude-EK-malware-payload-5-of-6.exe   -   MD5 hash:  dfe64f658a94da5cd2e96c20b23b4471   -   VirusTotal   -   Malwr
• 2014-06-24-Magnitude-EK-malware-payload-6-of-6.exe   -   MD5 hash:  fbd0eeff859dd59bdaa37218ec2e9545   -   VirusTotal   -   Malwr
• UpdateFlashPlayer_bccb4032.exe   -   MD5 hash:  635e829019d87f357a61e9cd49b1bfe3   -   VirusTotal   -   Malwr
• UpdateFlashPlayer_ef72c596.exe   -   MD5 hash:  5abcbd29d2112d7f9b28e41c3ac77e49   -   VirusTotal   -   Malwr

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

• 64.187.226.178:80 - 192.168.204.230:49296 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 (sid:2017602)
• 192.168.204.230:49300 - 64.187.226.178:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013 (sid:2017603)
• 64.187.226.178:80 - 192.168.204.230:49303 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 64.187.226.178:80 - 192.168.204.230:49303 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs (sid:2016540)
• 64.187.226.178:80 - 192.168.204.230:49302 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK (sid:2017849)
• 192.168.204.230:49309 - 64.187.226.178:80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013 (sid:2017694)
• 192.168.204.230:49309 - 64.187.226.178:80 - ET CURRENT_EVENTS NeoSploit - TDS (sid:2015665)
• 64.187.226.178:80 - 192.168.204.230:49309 - ET MALWARE Possible Windows executable sent when remote host claims to send html content (sid:2009897)
• 192.168.204.230:49313 - 199.127.225.232:80 - ET TROJAN CryptoWall Check-in (sid:2018452)
• 192.168.204.230:49329 - 64.5.41.209:80 - ET TROJAN Backdoor.Win32.Pushdo.s Checkin (sid:2016867)
• 192.168.204.230:49441 - 176.41.114.36:80 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2807742)
• 173.20.248.44:80 - 192.168.204.230:49490 - ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid:2018572)
• 173.20.248.44:80 - 192.168.204.230:49490 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 192.168.204.230:49655 - 91.226.212.148:80 - ET TROJAN Gozi posting form data (sid:2012871)
• 178.74.205.243:80 - 192.168.204.230:49684 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 192.168.204.230:49692 - 176.124.0.28:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 176.124.0.28:80 - 192.168.204.230:49692 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 192.168.204.230:49714 - 176.124.0.28:90 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)

Sourcefire VRT ruleset:

• 64.187.226.178:80 - 192.168.204.230:49296 - EXPLOIT-KIT Multiple exploit kit landing page - specific structure (sid:26653)
• 64.187.226.178:80 - 192.168.204.230:49296 - EXPLOIT-KIT Magnitude exploit kit landing page (sid:30766)
• 192.168.204.230:49300 - 64.187.226.178:80 - EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request (sid:30767)
• 64.187.226.178:80 - 192.168.204.230:49303 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 192.168.204.230:49309 - 64.187.226.178:80 - EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (sid:29189)
• 64.187.226.178:80 - 192.168.204.230:49309 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• 192.168.204.230:49320 - 199.127.225.232:80 - MALWARE-CNC Win.Trojan.Goon outbound communication (sid:31014)
• 192.168.204.230:49329 - 64.5.41.209:80 - MALWARE-CNC Win.Trojan.Pushdo variant outbound connection (sid:29891)
• 192.168.204.230:49514 - 91.226.212.148:80 - MALWARE-CNC Potential Gozi Trojan HTTP Header Structure (sid:26924)
• 173.20.248.44:80 - 192.168.204.230:49490 - MALWARE-CNC Win.Trojan.Dofoil outbound connection (sid:28809)
• 178.74.205.243:80 - 192.168.204.230:49684 - MALWARE-CNC Win.Trojan.Dofoil outbound connection (sid:28809)
• 192.168.204.230:49692 - 176.124.0.28:80 - MALWARE-CNC Win.Trojan.Cidox variant outbound connection (sid:29356)
• 192.168.204.230:49757 - 23.238.229.250:80 - MALWARE-CNC Win.Trojan.Alurewo outbound connection (sid:31079)

NOTE 1: These snort events were taken from Sguil on Security Onion.
NOTE 2: I recent found out that not all of the Sourcefire VRT signatures are firing on my Security Onion setup--haven't figured out why yet.

 

SCREENSHOTS

Cryptowall in action:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-06-24-Magnitude-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-24-Magnitude-EK-malware.zip
• ZIP of CSV summary of the Fiddler results:  2014-06-24-Magnitude-EK-Fiddler-export.csv.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.