2014-08-01 - MAGNITUDE EK - 193.169.245.148 - E504.01C4.A8022.1C.190.ED2E62B.575.808F.HYIXOANGCQH.CASSETTETERMS.EU

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-08-01-Magnitude-EK-pcaps.zip
• ZIP of the malware:  2014-08-01-Magnitude-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 193.169.245.148 - e504.01c4.a8022.1c.190.ed2e62b.575.808f.hyixoangcqh.cassetteterms.eu - Magnitude EK
• Various IP addresses - various domains - Post-infection traffic (see below)

 

MAGNITUDE EK:

• 21:58:39 - e504.01c4.a8022.1c.190.ed2e62b.575.808f.hyixoangcqh.cassetteterms.eu - GET /
• 21:58:41 - e504.01c4.a8022.1c.190.ed2e62b.575.808f.hyixoangcqh.cassetteterms.eu - GET /5c50b1ffc10f4111d0bc47d655ddd08e/03dea545f17ef8919ee268b53a1c6b48
• 21:58:41 - e504.01c4.a8022.1c.190.ed2e62b.575.808f.hyixoangcqh.cassetteterms.eu - GET /5c50b1ffc10f4111d0bc47d655ddd08e/89d1ae2740a5673bdc48edee513359b8
• 21:58:44 - 193.169.245.148 - GET /?370998059315b7817ee942e0c2b862cd
• 21:58:49 - 193.169.245.148 - GET /?cb7df6cb7e932b688142b84db9acdac6
• 21:58:50 - 193.169.245.148 - GET /?e08a6db790f104dc19cc65e9f158c461
• 21:58:52 - 193.169.245.148 - GET /?3fd3cb4f1c54bbd1f1e889152ef75c2a
• 21:58:56 - 193.169.245.148 - GET /?0054358c68ad1cf1f7a3c5bf8c46eb2f
• 21:59:02 - 193.169.245.148 - GET /?c34e22a524c547e0fc8fff9d18bfd7c8

 

SNORT EVENTS FOR THE INITIAL INFECTION

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 21:58:40 UTC - 193.169.245.148:80 - 172.16.165.133:51080 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 (sid:2017602)
• 21:58:42 UTC - 193.169.245.148:80 - 172.16.165.133:51098 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK (sid:2017849)
• 21:58:44 UTC - 172.16.165.133:51130 - 193.169.245.148:80 - ET TROJAN Storm Worm HTTP Request (sid:2006411)
• 21:58:44 UTC - 172.16.165.133:51130 - 193.169.245.148:80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013 (sid:2017694)
• 21:58:44 UTC - 172.16.165.133:51130 - 193.169.245.148:80 - ET CURRENT_EVENTS NeoSploit - TDS (sid:2015665)
• 21:58:45 UTC - 193.169.245.148:80 - 172.16.165.133:51130 - ET MALWARE Possible Windows executable sent when remote host claims to send html content (sid:2009897)
• 21:58:46 UTC - 193.169.245.148:80 - 172.16.165.133:51130 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009897)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

• 21:58:40 UTC - 193.169.245.148:80 - 172.16.165.133:51080 - [1:26653:4] EXPLOIT-KIT Multiple exploit kit landing page - specific structure
• 21:58:40 UTC - 193.169.245.148:80 - 172.16.165.133:51080 - [1:30766:1] EXPLOIT-KIT Magnitude exploit kit landing page
• 21:58:44 UTC - 172.16.165.133:various - 193.169.245.148:80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (4 times)
• 21:58:46 UTC - 193.169.245.148:80 - 172.16.165.133:various - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (4 times)
• 21:58:46 UTC - 193.169.245.148:80 - 172.16.165.133:various - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (4 times)
• 21:58:53 UTC - 193.169.245.148:80 - 172.16.165.133:various - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected (4 times)
• 21:58:46 UTC - 193.169.245.148:80 - 172.16.165.133:various - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download (4 times)
• 21:58:53 UTC - 193.169.245.148:80 - 172.16.165.133:51133 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (4 times)

 

MALWARE PAYLOAD 1 OF 4

File name:  2014-08-01-Magnitude-EK-malware-payload-1-of-4.exe
File size:  306.8 KB ( 314190 bytes )
MD5 hash:  b0ab691fb2fb6ae4c4f34d0f580bfc0a
Detection ratio:  1 / 54
First submission:  2014-08-01 22:12:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fc6eeed81fb9f20b9306481b28b2ee84cb80df8b3b462c2e416ee08c48454e71/analysis/

 

TRAFFIC (2014-08-01-Magnitude-EK-malware-payload-sandbox-analysis-1-of-4.pcap):

• 146.185.220.23:19077 - UDP traffic
• 140.184.178.123:48754 - TCP traffic
• 146.185.220.23:8080 - GET /pgt/?ver=1.0.229&id=120&r=112195&os=6.1|2|8.0.7601.17514&res=1|2047|1421
• 146.185.220.23:8090 - GET /rgr/?id=1200f452094b287b5e531e480d1c6f4f
• 207.244.73.180 - 6988.sindelclick.com - GET /?p=8R5uCRhHJ6yYmqim%2B[long string of characters]
• 108.168.157.141 - 3159585321.pub.ezanga.com - GET /rv2.php?c8f1d1148e09bd1caaaafcca774a6916d8e8f29205&q=educational+software+programs+buy+tube+
  benders&utm_source=3159585321
• 146.185.220.23:8090 - GET /rgr/?id=672800550c49202d5a541b4a054a6b49
• 204.27.56.91 - GET /feed-w11/click?aff=10157&saff=120&cid=e9047bf381d07cfe2f38736020d8fc26
• 108.168.157.141 - 3159585321.pub.ezanga.com - GET /tags.php?kw=educational%2Bsoftware%2Bprograms%2Bbuy%2Btube%2Bbenders&cat=education
  &url=www.elizadomestica.com
• 173.239.42.220 - xml.primusad.com - GET /click?i=GfMKHlj9hcw_2
• 108.168.157.141 - 3159585321.pub.ezanga.com - GET /rvf/?cid=ezanga&sid=3159585321&uid=U9wdzgpRQRwAADgVzqcAAAIz&source=ez
• 50.97.233.183 - i.simpli.fi - GET /dpx.js?cid=6908&m=1&quid=educational+software+programs+buy+tube+benders
• 192.170.157.133 - loadus.exelator.com - GET /load/?p=545&g=001&c=1289606&ctg=education&kw=educational+software+programs+buy+tube+benders
• 204.0.87.105 - b.scorecardresearch.com - GET /beacon.js
• 192.158.13.200 - rtg.salespidermedia.com - GET /dt.js

 

SNORT EVENTS:

• 172.16.165.136:49159 146.185.220.23:8080 - ET TROJAN Win32/Ropest.A Checkin (sid:2018750)

 

MALWARE PAYLOAD 2 OF 4

File name:  2014-08-01-Magnitude-EK-malware-payload-2-of-4.exe
File size:  96.0 KB ( 98304 bytes )
MD5 hash:  cbcd09fac316689b2a92bf48e3f6ea60
Detection ratio:  2 / 54
First submission:  2014-08-01 22:12:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/62de688d5e72799f5cfd607a25a25ffa1010fd8fb4dd8791f54b683d691c0bb1/analysis/

 

TRAFFIC (2014-08-01-Magnitude-EK-malware-payload-sandbox-analysis-2-of-4.pcap):

• 81.163.158.123 - icepower.su - GET /b/shoe/749634
• 81.163.158.123 - icepower.su - GET /b/shoe/749634
• 81.163.158.123 - icepower.su - GET /b/shoe/749634
• 81.163.158.123 - icepower.su - GET /b/shoe/749634
• 81.163.158.123 - icepower.su - GET /b/shoe/749634
• 81.163.158.123 - icepower.su - GET /b/shoe/749634
• 94.76.127.113 - smokejuse.su - GET /mod_articles-pol5.6/jquery/
• 94.76.127.113 - smokejuse.su - GET /mod_jshopping-qert9.1/soft64.dll
• 5.248.96.177 - vision-vaper.su - GET /b/eve/d7472b891855d61e17bb454c
• 94.76.127.113 - vision-vaper.su - POST /b/opt/42C57B77A325DCAD6C37213A
• 94.76.127.113 - vision-vaper.su - POST /b/opt/7AC8400FBF2A1A6B7038E7FC
• 94.76.127.113 - vision-vaper.su - POST /b/req/E06AE48D77EDFE7AB8FF03ED
• 94.76.127.113 - vision-vaper.su - POST /b/req/53AAC178898DBB72469F46E5
• 192.162.19.34 - hilton-search.com - GET /
• 192.162.19.34 - username-search.com - GET /
• 192.162.19.34 - calimera-search.com - GET /
• 192.162.19.34 - projects-search.com - GET /
• 192.162.19.34 - forest-search.com - GET /
• 192.162.19.34 - helped-search.com - GET /
• 192.162.19.34 - companies-search.com - GET /
• 192.162.19.34 - lereve-search.com - GET /
• 192.162.19.34 - cargo-search.com - GET /
• 192.162.19.34 - recommendation-search.com - GET /
• 192.162.19.34 - convoy-search.com - GET /
• 192.162.19.34 - baron-search.com - GET /

 

SNORT EVENTS:

• ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid:2018572)
• ET TROJAN Win32/Zemot Checkin (sid:2018644)
• ET TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2018643)

• [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
• [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection

 

MALWARE PAYLOAD 3 OF 4

File name:  2014-08-01-Magnitude-EK-malware-payload-3-of-4.exe
File size:  116.0 KB ( 118784 bytes )
MD5 hash:  f4a6b0fc34772505c2a0f0a510d2e220
Detection ratio:  3 / 54
First submission:  2014-08-01 22:12:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e5d5942f3ffac23b091605a6cf646e954e593890ccf86ec013f17d909e476c29/analysis/

 

TRAFFIC (2014-08-01-Magnitude-EK-malware-payload-sandbox-analysis-3-of-4.pcap):

• DNS queries for nsa.pastadicarne.me.uk
• TCP traffic to 85.17.141.10 over port 53
• TCP traffic to 76.73.102.74 over port 53

 

SNORT EVENTS:

• ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)

• [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection

 

MALWARE PAYLOAD 4 OF 4

File name:  2014-08-01-Magnitude-EK-malware-payload-4-of-4.exe
File size:  95.5 KB ( 97792 bytes )
MD5 hash:  1c3b3e3640545fe6fc7c056d3369d010
Detection ratio:  2 / 54
First submission:  2014-08-01 22:13:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2d43fd5ede9afa8c0b8ca14e8661a3d6f4c3e05b91ddfd76bda5a3c4561c7f6b/analysis/

 

TRAFFIC (2014-08-01-Magnitude-EK-malware-payload-sandbox-analysis-4-of-4.pcap):

• 31.184.192.202:80 - cd5c5c.com - GET /dll
• 31.184.192.202:81 - cd5c5c.com - GET /query?version=1.37&sid=2020&builddate=210714&q=natural+testosterone+supplements&ref=
  http%3A%2F%2Ffindandhide%2Ecom%2Fsearch%2Ephp[long string]
• 31.184.192.202:81 - cd5c5c.com - GET /query?version=1.37&sid=2020&builddate=210714&q=how+to+raise+testosterone&ref=
  http%3A%2F%2Ffindandhide%2Ecom%2Fsearch%2Ephp[long string]
• 31.184.192.202:81 - cd5c5c.com - GET /query?version=1.37&sid=2020&builddate=210714&q=do+testosterone+boosters+work&ref=
  http%3A%2F%2Ffindandhide%2Ecom%2Fsearch%2Ephp[long string]
• 31.184.192.202:81 - cd5c5c.com - GET /query?version=1.37&sid=2020&builddate=210714&q=average+car+insurance+rates&ref=
  http%3A%2F%2Ffindandhide%2Ecom%2Fsearch%2Ephp[long string]
• 31.184.192.202:81 - cd5c5c.com - GET /query?version=1.37&sid=2020&builddate=210714&q=index+finger+joint+pain&ref=
  http%3A%2F%2Ffindandhide%2Ecom%2Fsearch%2Ephp[long string]
• Several more of the HTTP GET requests over TCP port 81

 

SNORT EVENTS:

• ETPRO TROJAN Win32/Poweliks.A Checkin (sid:2808248)

• [1:31463:1] BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm
• [1:31465:1] MALWARE-CNC Win.Trojan.Androm Click Fraud Request
• [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority

 

OTHER MALWARE

FLASH EXPLOIT:

File name:  2014-08-01-Magnitude-EK-flash-exploit.swf
File size:  14.1 KB ( 14402 bytes )
MD5 hash:  f4083282b1e9f9ec018d12d051a475d5
Detection ratio:  0 / 53
First submission:  2014-08-01 22:19:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e9cf3a24e7245eb792e1dcf178ee61efbe307537d7009f1a7def9976e0582d4/analysis/

 

FOLLOW-UP MALWARE DOWNLOADED BY PAYLOAD 2 OF 4:

File name:  UpdateFlashPlayer_15eec67e.exe
File size:  148.0 KB ( 151552 bytes )
MD5 hash:  aa5c791b33cf2a330c27e0253808cd7f
Detection ratio:  9 / 54
First submission:  2014-08-01 23:44:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/898820f0375cb464b4abc28ef73aec24c343aa95790ca61563e51ffd60acb9f5/analysis/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-08-01-Magnitude-EK-pcaps.zip
• ZIP of the malware:  2014-08-01-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.