Malware-Traffic-Analysis.net - 2014-07-15

2014-07-15 - MAGNITUDE EK FROM 5.133.179.166 - 241020.2DBA.6D01312.011.A85.6B4.D4.DF92.CFTBMXJLI.FOLKSBUILT.IN

ASSOCIATED FILES:

ZIP of PCAP(s): 2014-07-15-Magnitude-EK-traffic.pcap.zip
ZIP of the malware: 2014-07-15-Magnitude-EK-malware.zip

NOTES:

In this traffic, Magnitude EK appears to have used IE exploit CVE-2013-2551 to infect the vulnerable VM.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

194.254.173.148 - windywing.pristineprinting.com - Redirect
5.133.179.166 - 241020.2dba.6d01312.011.a85.6b4.d4.df92.cftbmxjli.folksbuilt.in - Magnitude EK
Various IP addresses - various domains - Post-infection traffic (see below)

REDIRECT:

21:10:57 UTC - 172.16.165.133:49171 - 194.254.173.148:80 - windywing.pristineprinting.com - GET /themes/index.php?id=aHR0cDovLzI0MTAyMC4yZGJhLjZkMDEzM
TIuMDExLmE4NS42YjQuZDQuZGY5Mi5jZnRibXhqbGkuZm9sa3NidWlsdC5pbi8=

MAGNITUDE EK:

21:10:58 UTC - 172.16.165.133:49172 - 5.133.179.166:80 - 241020.2dba.6d01312.011.a85.6b4.d4.df92.cftbmxjli.folksbuilt.in - GET /
21:10:59 UTC - 172.16.165.133:49174 - 5.133.179.166:80 - 241020.2dba.6d01312.011.a85.6b4.d4.df92.cftbmxjli.folksbuilt.in - GET /6382873ee967eb1591c1266c79e8
42e4/5490059a4a13c0261bb96821a1e47145
21:11:08 UTC - 172.16.165.133:49178 - 5.133.179.166:80 - 5.133.179.166 - GET /?616b58cf0d17720490b9f8b46312e5b3
21:11:25 UTC - 172.16.165.133:49180 - 5.133.179.166:80 - 5.133.179.166 - GET /?090310239f82e2574fe7d9bd3bb31edd
21:11:26 UTC - 172.16.165.133:49182 - 5.133.179.166:80 - 5.133.179.166 - GET /?2cfc5da72d98dcf9a701bd9c0d4c210b
21:11:27 UTC - 172.16.165.133:49185 - 5.133.179.166:80 - 5.133.179.166 - GET /?c0a8097b350a96460f4894922666dd8d
21:11:31 UTC - 172.16.165.133:49188 - 5.133.179.166:80 - 5.133.179.166 - GET /?8b009d50276692d6c61359e036ebc12a
21:11:34 UTC - 172.16.165.133:49192 - 5.133.179.166:80 - 5.133.179.166 - GET /?6d3f2fa09704c11a2de462a676565173
21:12:33 UTC - 172.16.165.133:49232 - 5.133.179.166:80 - c3a45.ce7.a6da2f.4b2357.6da628.e2.43ed.sbyvqeajn.folksbuilt.in - GET /?30425556585f44525f441e535f5d
21:12:39 UTC - 172.16.165.133:49237 - 5.133.179.166:80 - c3a45.ce7.a6da2f.4b2357.6da628.e2.43ed.sbyvqeajn.folksbuilt.in - GET /c5d67277c6b1f35a9fbfcd32a5351
8ca/94b9a6c04950fcf107b67a8f4b6d3432

POST-INFECTION TRAFFIC:

21:11:32 UTC - 172.16.165.133:49190 - 178.141.97.185:80 - come-passere.com - GET /b/shoe/749634
21:11:37 UTC - 172.16.165.133:49194 - 93.127.86.19:80 - la-spazzolino.com - GET /mod_articles-php357.446/jquery/
21:11:53 UTC - 172.16.165.133:49198 - 93.127.86.19:80 - la-spazzolino.com - GET /mod_articles-php357.446/jquery/
21:14:26 UTC - 172.16.165.133:49261 - 176.213.137.214:80 - la-spazzolino.com - GET /mod_articles-php357.446/jquery/
21:14:27 UTC - 172.16.165.133:49260 - 178.141.97.185:80 - la-spazzolino.com - GET /mod_articles-php357.446/jquery/
21:14:36 UTC - 172.16.165.133:49263 - 176.213.137.214:80 - la-spazzolino.com - GET /mod_articles-php357.446/ajax/
21:16:07 UTC - 172.16.165.133:49158 - 95.46.199.63:80 - la-spazzolino.com - GET /mod_jshopping-java984.561/soft64.dll
21:16:12 UTC - 172.16.165.133:49160 - 46.219.29.102:80 - vision-vaper.su - GET /b/eve/7e2ad40fb13829982428cfe3

21:12:04 UTC - 172.16.165.133:64836 - 8.8.4.4:53 - DNS query for nsa.figaina5.net
21:12:05 UTC - 172.16.165.133:64836 - 8.8.8.8:53 - DNS query for nsa.figaina5.net
21:12:06 UTC - 172.16.165.133:64836 - 8.8.4.4:53 - DNS query for nsa.figaina5.net
21:12:07 UTC - 8.8.4.4:53 - 172.16.165.133:64836 - DNS response for nsa.figaina5.net as 125.83.138.92
21:12:07 UTC - 8.8.8.8:53 - 172.16.165.133:64836 - DNS response for nsa.figaina5.net as 125.83.138.92
21:12:07 UTC - 8.8.4.4:53 - 172.16.165.133:64836 - DNS response for nsa.figaina5.net as 125.83.138.92
21:12:07 UTC - 172.16.165.133:49207 - 85.17.139.17:53 - TCP traffic over port 53
21:14:58 UTC - 172.16.165.133:49264 - 85.17.139.17:53 - TCP traffic over port 53

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD 1 OF 4:

File name: 2014-07-15-Magnitude-EK-malware-payload-1-of-4.exe
File size: 290.5 KB ( 297492 bytes )
MD5 hash: 0e7fcd6595c444f6a829d4763516741f
Detection ratio: 7 / 53
First submission: 2014-07-15 23:33:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/28afa062eb5466531d804fdeb249c28cf7992f983c90fb6b9b60d6171a53648b/analysis/
Malwr link: https://malwr.com/analysis/OGE5MmVmMGNkODE0NDY5NDg3MWFiODFjZDY2NzA5ZTc/

MALWARE PAYLOAD 2 OF 4:

File name: 2014-07-15-Magnitude-EK-malware-payload-2-of-4.exe
File size: 92.0 KB ( 94216 bytes )
MD5 hash: 8beb666c0c45f74875a3f5882ec957cd
Detection ratio: 4 / 54
First submission: 2014-07-15 23:35:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/cdec45ec8e20bcb710b7971a0e95a8c9fffbb1775fe7e3e9a3e4d847d2c5d08f/analysis/
Malwr link: https://malwr.com/analysis/NjdiYTQzNzk1YTBkNGJlN2E3NzJlMzQ2Zjk5OTA0Y2U/

MALWARE PAYLOAD 3 OF 4:

File name: 2014-07-15-Magnitude-EK-malware-payload-3-of-4.exe
File size: 108.0 KB ( 110592 bytes )
MD5 hash: 33aedc85d46d28321bded7ea27c01f62
Detection ratio: 3 / 54
First submission: 2014-07-15 23:36:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/9d680a28111322cc35e170335c088c826e3dd13f2883f5c57f233dc00303d1f0/analysis/
Malwr link: https://malwr.com/analysis/YjY0OTkzZGIwNTkxNDRmMjk5NzZkY2YwYzY5MGUxMDc/

MALWARE PAYLOAD 4 OF 4:

File name: 2014-07-15-Magnitude-EK-malware-payload-4-of-4.exe
File size: 420.0 KB ( 430080 bytes )
MD5 hash: 95e0f12750a0629fd00551def17207ed
Detection ratio: 5 / 54
First submission: 2014-07-15 23:38:09 UTC
VirusTotal link: https://www.virustotal.com/en/file/3e99add247b060c795512783803c6698b5490bef7c883d7e39ab0223152ae253/analysis/
Malwr link: https://malwr.com/analysis/YzZjOWMzMGM3ZmMyNGU4ZDhiMTQ2OTFkNzU4ZmNlODk/

FOLLOW-UP MALWARE:

File name: UpdateFlashPlayer_dca93f91.exe
File size: 168.0 KB ( 172032 bytes )
MD5 hash: e57ea8653156a1b16414c57378546418
Detection ratio: 4 / 54
First submission: 2014-07-16 01:00:07 UTC
VirusTotal link: https://www.virustotal.com/en/file/666bd304a5c637c74a30a13d466ee7df7142cc70bd3eeca80a66abd9858b1a14/analysis/
Malwr link: https://malwr.com/analysis/Mzk1YzY3MDcxNjJiNDQ0ZTgwYjhkNmUyZDVmZGZlYWY/

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

2 count - 5.133.179.166:80 - 172.16.165.134:49174 - ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage (sid:2012119)
6 count - 172.16.165.134:49178 - 5.133.179.166:80 - ET TROJAN Storm Worm HTTP Request (sid:2006411)
6 count - 172.16.165.134:49178 - 5.133.179.166:80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013 (sid:2017694)
6 count - 172.16.165.134:49178 - 5.133.179.166:80 - ET CURRENT_EVENTS NeoSploit - TDS (sid:2015665)
4 count - 5.133.179.166:80 - 172.16.165.134:49178 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
40 count - 5.133.179.166:80 - 172.16.165.134:49178 - ET MALWARE Possible Windows executable sent when remote host claims to send html content (sid:2009897)
1 count - 5.133.179.166:80 - 172.16.165.134:49185 - ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected (sid:2011803)
1 count - 172.16.165.134:49190 - 178.141.97.185:80 - ET TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2018643)
14 count - 5.133.179.166:80 - 172.16.165.134:49192 - ET INFO Packed Executable Download (sid:2014819)
5 count - 172.16.165.134:49194 - 93.127.86.19:80 - ET TROJAN Win32/Zemot Checkin (sid:2018644)
2 count - 93.127.86.19:80 - 172.16.165.134:49194 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
24 count - 93.127.86.19:80 - 172.16.165.134:49194 - ET INFO EXE - Served Attached HTTP (sid:2014520)
24 count - 93.127.86.19:80 - 172.16.165.134:49194 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
1 count - 93.127.86.19:80 - 172.16.165.134:49198 - ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected (sid:2011803)
2 count - 172.16.165.134:49207 - 85.17.139.17:53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)
2 count - 176.213.137.214:80 - 172.16.165.134:49261 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
19 count - 176.213.137.214:80 - 172.16.165.134:49261 - ET INFO EXE - Served Attached HTTP (sid:2014520)
19 count - 176.213.137.214:80 - 172.16.165.134:49261 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
1 count - 176.213.137.214:80 - 172.16.165.134:49261 - ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected (sid:2011803)
1 count - 178.141.97.185:80 - 172.16.165.134:49260 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
8 count - 178.141.97.185:80 - 172.16.165.134:49260 - ET INFO EXE - Served Attached HTTP (sid:2014520)
8 count - 178.141.97.185:80 - 172.16.165.134:49260 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
1 count - 178.141.97.185:80 - 172.16.165.134:49260 - ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected (sid:2011803)
1 count - 172.16.165.134:49158 - 95.46.199.63:80 - ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected (sid:2010228)
1 count - 172.16.165.134:61762 - 8.8.8.8:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)
1 count - 172.16.165.134:49160 - 46.219.29.102:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
1 count - 172.16.165.134:49160 - 46.219.29.102:80 - ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related (sid:2014170)
1 count - 46.219.29.102:80 - 172.16.165.134:49160 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

2014-07-15 21:10:58 UTC - 8.8.8.8:53 - 172.16.165.134:55424 - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
2014-07-15 21:10:58 UTC - 5.133.179.166:80 - 172.16.165.134:49172 - [1:26653:4] EXPLOIT-KIT Multiple exploit kit landing page - specific structure
2014-07-15 21:10:58 UTC - 5.133.179.166:80 - 172.16.165.134:49172 - [1:30766:1] EXPLOIT-KIT Magnitude exploit kit landing page
2014-07-15 21:11:08 UTC - 172.16.165.134:49178 - 5.133.179.166:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request
2014-07-15 21:11:08 UTC - 5.133.179.166:80 - 172.16.165.134:49178 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt
2014-07-15 21:11:08 UTC - 5.133.179.166:80 - 172.16.165.134:49178 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
2014-07-15 21:11:08 UTC - 5.133.179.166:80 - 172.16.165.134:49178 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:11:25 UTC - 172.16.165.134:49180 - 5.133.179.166:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request
2014-07-15 21:11:26 UTC - 172.16.165.134:49182 - 5.133.179.166:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request
2014-07-15 21:11:27 UTC - 172.16.165.134:49185 - 5.133.179.166:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request
2014-07-15 21:11:27 UTC - 5.133.179.166:80 - 172.16.165.134:49185 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt
2014-07-15 21:11:27 UTC - 5.133.179.166:80 - 172.16.165.134:49185 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
2014-07-15 21:11:27 UTC - 5.133.179.166:80 - 172.16.165.134:49185 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:11:28 UTC - 5.133.179.166:80 - 172.16.165.134:49185 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
2014-07-15 21:11:31 UTC - 172.16.165.134:49188 - 5.133.179.166:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request
2014-07-15 21:11:32 UTC - 5.133.179.166:80 - 172.16.165.134:49188 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt
2014-07-15 21:11:32 UTC - 5.133.179.166:80 - 172.16.165.134:49188 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
2014-07-15 21:11:32 UTC - 5.133.179.166:80 - 172.16.165.134:49188 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:11:32 UTC - 5.133.179.166:80 - 172.16.165.134:49188 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
2014-07-15 21:11:34 UTC - 172.16.165.134:49192 - 5.133.179.166:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request
2014-07-15 21:11:35 UTC - 5.133.179.166:80 - 172.16.165.134:49192 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt
2014-07-15 21:11:35 UTC - 5.133.179.166:80 - 172.16.165.134:49192 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
2014-07-15 21:11:35 UTC - 5.133.179.166:80 - 172.16.165.134:49192 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:11:36 UTC - 8.8.4.4:53 - 172.16.165.134:63396 - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
2014-07-15 21:11:37 UTC - 93.127.86.19:80 - 172.16.165.134:49194 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
2014-07-15 21:11:37 UTC - 93.127.86.19:80 - 172.16.165.134:49194 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:11:38 UTC - 93.127.86.19:80 - 172.16.165.134:49194 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
2014-07-15 21:11:53 UTC - 93.127.86.19:80 - 172.16.165.134:49198 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
2014-07-15 21:11:53 UTC - 93.127.86.19:80 - 172.16.165.134:49198 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:11:54 UTC - 93.127.86.19:80 - 172.16.165.134:49198 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
2014-07-15 21:12:07 UTC - 172.16.165.134:49207 - 85.17.139.17:53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
2014-07-15 21:12:33 UTC - 8.8.4.4:53 - 172.16.165.134:57724 - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
2014-07-15 21:12:35 UTC - 5.133.179.166:80 - 172.16.165.134:49232 - [1:26653:4] EXPLOIT-KIT Multiple exploit kit landing page - specific structure
2014-07-15 21:12:35 UTC - 5.133.179.166:80 - 172.16.165.134:49232 - [1:30766:1] EXPLOIT-KIT Magnitude exploit kit landing page
2014-07-15 21:14:26 UTC - 176.213.137.214:80 - 172.16.165.134:49261 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
2014-07-15 21:14:26 UTC - 176.213.137.214:80 - 172.16.165.134:49261 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:14:27 UTC - 176.213.137.214:80 - 172.16.165.134:49261 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
2014-07-15 21:14:27 UTC - 178.141.97.185:80 - 172.16.165.134:49260 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
2014-07-15 21:14:27 UTC - 178.141.97.185:80 - 172.16.165.134:49260 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:14:28 UTC - 178.141.97.185:80 - 172.16.165.134:49260 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
2014-07-15 21:14:44 UTC - 176.213.137.214:80 - 172.16.165.134:49263 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
2014-07-15 21:14:44 UTC - 176.213.137.214:80 - 172.16.165.134:49263 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
2014-07-15 21:14:58 UTC - 172.16.165.134:49264 - 85.17.139.17:53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection
2014-07-15 21:16:11 UTC - 172.16.165.134:61762 - 8.8.8.8:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
2014-07-15 21:16:12 UTC - 172.16.165.134:49160 - 46.219.29.102:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAP(s): 2014-07-15-Magnitude-EK-traffic.pcap.zip
ZIP of the malware: 2014-07-15-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.