2014-06-29 - MAGNITUDE EK FROM 64.187.226.183 - 751.895A24.1C7872.05A3.4D.2DAFCA.A1E.C2.QGZOCPAL.SLIPTRIED.IN

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-29-Magnitude-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-29-Magnitude-EK-malware.zip

 

CHAIN OF EVENTS:

ASSOCIATED DOMAINS:

• 64.187.226.183 - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - Magnitude EK
• various IP addresses - various domains - Post-infection traffic (see below)

 

MAGNITUDE EK:

• 22:30:04 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /
• 22:30:12 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/30cb99adc78b03e3d3b264f6b9a96649
• 22:30:23 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/6dac6469b8d3b598be4adc5badc6356b
• 22:30:23 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/380bed34792a9c7125f56e1d793349cb
• 22:30:24 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/380bed34792a9c7125f56e1d793349cb
• 22:30:24 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/c7b000aed0739d2c7a5ac5da28e000fd
• 22:30:24 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/c7b000aed0739d2c7a5ac5da28e000fd
• 22:30:25 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/380bed34792a9c7125f56e1d793349cb
• 22:30:26 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/0   [!]
• 22:30:28 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/380bed34792a9c7125f56e1d793349cb
• 22:30:28 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/uzkr.class
• 22:30:28 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/1
• 22:30:29 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/uzkr.class
• 22:30:30 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/2
• 22:30:32 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/3   [!]
• 22:30:36 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/4   [!]
• 22:30:40 UTC - 751.895a24.1c7872.05a3.4d.2dafca.a1e.c2.qgzocpal.sliptried.in - GET /ef89c4d318f7454b6dbad22254636ab7/5   [!]

[!] indicates a malware payload was sent.

 

POST-INFECTION TRAFFIC:

• 22:30:32 UTC - 192.168.204.229:49309 - 199.127.225.232:80 - vivatsaultppc.com - POST /p5lfp3baq3qe
• 22:30:37 UTC - 192.168.204.229:49311 - 91.244.131.188:80 - carbiginer.com - GET /b/shoe/749634
• 22:30:40 UTC - 192.168.204.229:49312 - 99.238.33.1:80 - goccefy.com - GET /mod_articles_news-96-789/jquery/
• 22:30:41 UTC - 192.168.204.229:49314 - 199.127.225.232:80 - vivatsaultppc.com - POST /v32hoarl04
• 22:30:44 UTC - 192.168.204.229:49317 - 31.184.192.202:80 - cd5c5c.com - POST /q
• 22:30:48 UTC - 192.168.204.229:49320 - 31.184.192.202:80 - cd5c5c.com - POST /q
• 22:30:49 UTC - 192.168.204.229:49322 - 199.127.225.232:80 - vivatsaultppc.com - POST /d3g77sn097k8g
• 22:30:49 UTC - 192.168.204.229:49321 - 31.184.192.202:80 - cd5c5c.com - POST /q
• 22:30:50 UTC - 192.168.204.229:49323 - 31.184.192.202:80 - cd5c5c.com - GET /dll
• 22:30:50 UTC - 192.168.204.229:49324 - 31.184.192.202:80 - cd5c5c.com - POST /q
• 22:31:01 UTC - 192.168.204.229:49325 - 199.127.225.232:80 - vivatsaultppc.com - POST /aevgwrkqzx8iji
• 22:32:04 UTC - 192.168.204.229:49157 - 2.22.48.33 :80 - www.msftncsi.com - GET /ncsi.txt
• 22:32:08 UTC - 192.168.204.229:49158 - 94.244.161.54:80 - goccefy.com - GET /mod_jshopping_filters-74-984/soft64.dll
• 22:32:24 UTC - 192.168.204.229:49159 - 199.127.225.232:80 - vivatsaultppc.com - POST /ht095539kk2b
• 22:32:29 UTC - 192.168.204.229:49160 - 85.29.190.85:80 - vision-vaper.su - GET /b/eve/d692eb926343190301a31d47
• 22:32:31 UTC - 192.168.204.229:49162 - 199.127.225.232:80 - vivatsaultppc.com - POST /5fbsoqv8sy2
• 22:32:37 UTC - 192.168.204.229:49163 - 199.127.225.232:80 - vivatsaultppc.com - POST /kfym4jy3o390n4s
• 22:32:45 UTC - 192.168.204.229:49164 - 199.127.225.232:80 - vivatsaultppc.com - POST /x3q9pbxbul81
• 22:32:51 UTC - 192.168.204.229:49165 - 199.127.225.232:80 - vivatsaultppc.com - POST /vrhucndzzn9ixq0
• 22:32:57 UTC - 192.168.204.229:49166 - 199.127.225.232:80 - vivatsaultppc.com - POST /5pw55ccs7o75q
• 22:33:04 UTC - 192.168.204.229:49167 - 199.127.225.232:80 - vivatsaultppc.com - POST /axen1mtnm2e4wr
• 22:33:13 UTC - 192.168.204.229:49168 - 199.127.225.232:80 - vivatsaultppc.com - POST /8r9c5n0y4z4yww
• 22:33:23 UTC - 192.168.204.229:49169 - 85.29.190.85:80 - vision-vaper.su - POST /b/opt/57CE7001706186F8C5B07469
• 22:33:23 UTC - 192.168.204.229:49170 - 199.127.225.232:80 - vivatsaultppc.com - POST /wxi3wflyuq6
• 22:33:26 UTC - 192.168.204.229:49171 - 85.29.190.85:80 - vision-vaper.su - GET /b/letr/535D4FBB3776BCC982A74E58
• 22:33:30 UTC - 192.168.204.229:49175 - 199.127.225.232:80 - vivatsaultppc.com - POST /my73e15b4h0363
• 22:33:31 UTC - 192.168.204.229:49174 - 178.18.18.30:443 - 178.18.18.30:443 - POST /b/opt/90B875CA010D5B84B4DCA915
• 22:33:38 UTC - 192.168.204.229:49176 - 199.127.225.232:80 - vivatsaultppc.com - POST /2zdd02afds
• 22:33:45 UTC - 192.168.204.229:49177 - 199.127.225.232:80 - vivatsaultppc.com - POST /xzsgbht0uok00
• 22:33:50 UTC - 192.168.204.229:49178 - 178.18.18.30:443 - 178.18.18.30:443 - POST /b/req/1B1B401D6DE70EA8D836FC39
• 22:33:51 UTC - 192.168.204.229:49179 - 178.18.18.30:443 - 178.18.18.30:443 - GET /b/eve/0adda4d9bf0c564818fce4cc
• 22:33:52 UTC - 192.168.204.229:49181 - 199.127.225.232:80 - vivatsaultppc.com - POST /rd86wfz0a7
• 22:34:00 UTC - 192.168.204.229:49182 - 199.127.225.232:80 - vivatsaultppc.com - POST /yh4eitdqw7j3w
• 22:34:08 UTC - 192.168.204.229:49183 - 199.127.225.232:80 - vivatsaultppc.com - POST /sy620v2es9tv0h
• 22:34:15 UTC - 192.168.204.229:49184 - 199.127.225.232:80 - vivatsaultppc.com - POST /ucj37drryo82shy
• 22:34:24 UTC - 192.168.204.229:49185 - 199.127.225.232:80 - vivatsaultppc.com - POST /g5yx1yl7r27
• 22:34:30 UTC - 192.168.204.229:49186 - 199.127.225.232:80 - vivatsaultppc.com - POST /348pba0mze
• 22:34:37 UTC - 192.168.204.229:49187 - 199.127.225.232:80 - vivatsaultppc.com - POST /ghs51z3xwlffvgz
• 22:34:49 UTC - 192.168.204.229:49189 - 178.18.18.30:443 - 178.18.18.30:443 - POST /b/req/F7D327685841B98CED904B1D
• 22:34:45 UTC - 192.168.204.229:49188 - 199.127.225.232:80 - vivatsaultppc.com - POST /1r9cjlnw9l4d1
• 22:34:53 UTC - 192.168.204.229:49190 - 199.127.225.232:80 - vivatsaultppc.com - POST /8d4o4ys5854x0iv
• 22:35:01 UTC - 192.168.204.229:49191 - 199.127.225.232:80 - vivatsaultppc.com - POST /l10r95b108
• 22:35:05 UTC - 192.168.204.229:49192 - 195.242.81.52:80 - vision-vaper.su - GET /b/eve/39aae2078c7b10961564c867
• 22:35:10 UTC - 192.168.204.229:49194 - 199.127.225.232:80 - vivatsaultppc.com - POST /2sik115itnsur
• 22:35:19 UTC - 192.168.204.229:49195 - 199.127.225.232:80 - vivatsaultppc.com - POST /8uncvu2s2ll
• 22:35:32 UTC - 192.168.204.229:49196 - 199.127.225.232:80 - vivatsaultppc.com - POST /nql8fcbbjhy
• 22:35:40 UTC - 192.168.204.229:49197 - 199.127.225.232:80 - vivatsaultppc.com - POST /3bkzspv486
• 22:35:47 UTC - 192.168.204.229:49198 - 199.127.225.232:80 - vivatsaultppc.com - POST /ncaomai3ka
• 22:35:59 UTC - 192.168.204.229:49199 - 199.127.225.232:80 - vivatsaultppc.com - POST /n47ase6z79w
• 22:36:02 UTC - 192.168.204.229:49200 - 208.76.172.96:8080 - 208.76.172.96:8080 - POST /b/opt/BF2871B154B2ADBEE1635F2F
• 22:36:08 UTC - 192.168.204.229:49201 - 199.127.225.232:80 - vivatsaultppc.com - POST /4sfpkxpy1zp3
• 22:36:16 UTC - 192.168.204.229:49202 - 199.127.225.232:80 - vivatsaultppc.com - POST /ur0q3g6hd9449f
• 22:36:19 UTC - 192.168.204.229:49203 - 208.76.172.96:8080 - 208.76.172.96:8080 - POST /b/req/B9CDD8ACEE8DEBE65B5C1977
• 22:36:21 UTC - 192.168.204.229:49204 - 192.162.19.34:80 - resorts-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49206 - 192.162.19.34:80 - aquariums-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49207 - 192.162.19.34:80 - grand-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49208 - 192.162.19.34:80 - victory-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49209 - 192.162.19.34:80 - recommendation-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49210 - 192.162.19.34:80 - sultan-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49211 - 192.162.19.34:80 - ecored-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49212 - 192.162.19.34:80 - sheikh-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49213 - 192.162.19.34:80 - submission-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49214 - 192.162.19.34:80 - country-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49215 - 192.162.19.34:80 - cleopatra-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49216 - 192.162.19.34:80 - available-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49217 - 192.162.19.34:80 - calimera-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49218 - 192.162.19.34:80 - aquariums-search.com - GET /
• 22:36:21 UTC - 192.168.204.229:49219 - 192.162.19.34:80 - grand-search.com - GET /
• 22:36:22 UTC - 192.168.204.229:49231 - 192.162.19.34:80 - lereve-search.com - GET /

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-06-29-Magnitude-EK-java-exploit.jar
File size:  13.5 KB ( 13830 bytes )
MD5 hash:  4ab8409d83b845f39f787ac0ba087811
Detection ratio:  2 / 54
First submission:  2014-06-30 21:53:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8edf0aab22d5c16d4e1ea5f438a9ecb461bfbfc7a6db364cdba9fd434dec211b/analysis/

 

MALWARE TAKEN FROM THE VM:

• 2014-06-29-Magnitude-EK-malware-payload-1-of-4.exe   -   MD5: e59bb202d56f9f603d735fd34a66ad9f   -   182.0 KB ( 186368 bytes )   -   Virus Total link   -   Malwr link
• 2014-06-29-Magnitude-EK-malware-payload-2-of-4.exe   -   MD5: 08c6abc9d618b66b87a425d820f81350   -   90.5 KB ( 92688 bytes )   -   Virus Total link   -   Malwr link
• 2014-06-29-Magnitude-EK-malware-payload-3-of-4.exe   -   MD5: 52d8656b13807412f92128dc95b57823   -   121.5 KB ( 124424 bytes )   -   Virus Total link   -   Malwr link
• UpdateFlashPlayer_602e5b93.exe   -   MD5: b9a6a7b595d6d00424fabe037df305ec   -   165.0 KB ( 168968 bytes )   -   Virus Total link   -   Malwr link

NOTE: The malware payloads in the PCAP are obfuscated with more than a simple XOR, and I couldn't decrypt them.  I also couldn't find the last malware payload (4 of 4) on the infected VM, so it's not included here.

 

SNORT EVENTS

These Snort events were taken from Sguil on Security Onion using the default Emerging Threats rule set.  This list does not include the ET INFO or ET POLICY rules.

• 64.187.226.183:80 - 192.168.204.229:49288 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 (sid:2017602)
• 64.187.226.183:80 - 192.168.204.229:49289 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK (sid:2017849)
• 192.168.204.229:49295 - 64.187.226.183:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013 (sid:2017603)
• 64.187.226.183:80 - 192.168.204.229:49295 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (sid:2016797)
• 64.187.226.183:80 - 192.168.204.229:49295 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)
• 64.187.226.183:80 - 192.168.204.229:49300 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 64.187.226.183:80 - 192.168.204.229:49300 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs (sid:2016540)
• 192.168.204.229:49302 - 64.187.226.183:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request (sid:2015888)
• 192.168.204.229:49309 - 199.127.225.232:80 - ET TROJAN CryptoWall Check-in (sid:2018452)
• 99.238.33.1:80 - 192.168.204.229:49312 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 192.168.204.229:49160 - 85.29.190.85:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 85.29.190.85:80 - 192.168.204.229:49160 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 192.168.204.229:49169 - 85.29.190.85:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
• 195.242.81.52:80 - 192.168.204.229:49192 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-06-29-Magnitude-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-29-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.