2014-11-20 - THREATGLASS HAS 5 EXAMPLES OF MAGNITUDE EK SINCE YESTERDAY
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-11-20-Magnitude-EK-traffic-5-examples-from-Threatglass.zip 132.0 MB (132,000,866 bytes)
- 2014-11-20-malware-from-Magnitude-EK-infections.zip 39.7 kB (39,668 bytes)
NOTES:
- This is the first time I've found so many entries for Magnitude exploit kit (EK) traffic on Threatglass in such a short time.
- I noticed callback traffic for Poweliks in most (if not every one) of these pcaps.
- Threatglass might even have more Magnitude EK before the day is over. The items listed below are what I've noticed so far.
LINKS
2014-11-20:
- Magnitude EK from: 193.169.245[.]208 - 31896b.4e076.805ed5.9204.958e.759.403e.cl2bmh704d0.mentionscreens[.]in
- Link to Threatglass entry: https://web.archive.org/web/20161024114847/http://threatglass.com/malicious_urls/doingitonline-com
2014-11-19:
- Magnitude EK from: 193.169.245[.]207 - 9333f8.11.217.aa.d2f3.3edca.30766a.a3bf.p43ah49a064a.executeborrow[.]in
- Link to Threatglass entry: https://web.archive.org/web/20141122104054/http://threatglass.com/malicious_urls/asadbashir-co-uk
- Magnitude EK from: 193.169.245[.]207 - 22d.9b1564.a0a.0b8b0d.9d1fa.f5.bd2a71.e.h4orcjh3i.progresspurely[.]in
- Link to Threatglass entry: https://web.archive.org/web/20160312191533/http://threatglass.com/malicious_urls/blog-cav-it
- Magnitude EK from: 193.169.245[.]207 - 4fc0ff.74fd8a.37ecf.e2.77d2f.51d.00a.f3.shx972qw51.groundslocked[.]in
- Link to Threatglass entry: https://web.archive.org/web/20160311093650/http://threatglass.com/malicious_urls/payday-boxcouk-co-uk
- Magnitude EK from: 193.169.245[.]207 - 4fc0ff.74fd8a.37ecf.e2.77d2f.51d.00a.f3.shx972qw51.groundslocked[.]in
- Link to Threatglass entry: https://web.archive.org/web/20160310021503/http://threatglass.com/malicious_urls/filesnews-ws
TODAY'S MAGNITUDE EK EXAMPLE
ASSOCIATED DOMAINS:
- 192.232.251[.]98 - doingitonline[.]com - Comrpomised website
- 192.254.164[.]43 - presentwithconfidence.undo[.]it - redirect (gate)
- 193.169.245[.]208 - 31896b.4e076.805ed5.9204.958e.759.403e.cl2bmh704d0.mentionscreens[.]in - Magnitude EK
- 31.184.192[.]80 - 1e90ff[.]com - Poweliks HTTP traffic
COMPROMISED WEBSITE AND REDIRECT (ALL TIMES UTC):
- 06:23:28 - doingitonline[.]com - GET /
- 06:23:31 - presentwithconfidence.undo[.]it - GET /themes/index.php?id=aHR0cDovLzMxODk2Yi40ZTA3Ni44MDVlZDUuOTIwNC45NThlLjc1OS40MDNlLmNsMmJtaDcwNGQ
wLm1lbnRpb25zY3JlZW5zLmluLw==
MAGNITUDE EK:
- 06:23:31 - 31896b.4e076.805ed5.9204.958e.759.403e.cl2bmh704d0.mentionscreens[.]in - GET /
- 06:23:36 - 31896b.4e076.805ed5.9204.958e.759.403e.cl2bmh704d0.mentionscreens[.]in - GET /792c8ff2bd2621fcdb3dff327a39910a/b82bd63f68383272948d2d7b1ffe2299
- 06:23:37 - 31896b.4e076.805ed5.9204.958e.759.403e.cl2bmh704d0.mentionscreens[.]in - GET /792c8ff2bd2621fcdb3dff327a39910a/eac1adf1fcac5caeb552abb56d428ec2
- 06:23:41 - 193.169.245[.]208 - GET /?0a8746376b3acd748f466480a55ac302
- 06:23:42 - 193.169.245[.]208 - GET /?af5ab5fea5760bb87a1457d90ed3aeb4
- 06:23:43 - 193.169.245[.]208 - GET /?0c7e46deb76659bc2273b3a336fcf643
- 06:23:43 - 193.169.245[.]208 - GET /?79ecab4983f652e8544a68183559c76d
- 06:23:57 - 193.169.245[.]208 - GET /?facd44667b2ae4bcb6b481e233b9981c
- 06:24:01 - 193.169.245[.]208 - GET /?a8a5c6ee7de28e2839eaf71c505beb44
POWELIKS HTTP TRAFFIC:
- 06:23:57 - 1e90ff[.]com - POST /q
- 06:23:57 - 1e90ff[.]com - POST /q
- 06:23:57 - 1e90ff[.]com - GET /dll
POWELIKS MALWARE FROM TODAY'S PCAP:
FINAL NOTES
There's too much information here for one of my usual blog entries. You'll need to examine the pcaps from Threatglass for details. Some of the EK payloads can be exported from the pcaps using Wireshark.
Click here to return to the main page.