Malware-Traffic-Analysis.net - 2015-02-13

2015-02-13 - MAGNITUDE EK FROM 46.166.182.101

ASSOCIATED FILES:

ZIP of the pcap: 2015-02-13-Magnitude-EK-traffic.pcap.zip
ZIP of the malware: 2015-02-13-Magnitude-EK-malware.zip

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

46.166.182.101 - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - Magnitude EK

MAGNITUDE EK:

2015-02-13 00:49:12 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /?2654434052544748554a47524308414949414a430845494b
2015-02-13 00:49:22 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /d8b7bd0646ae4b7344ff9e7df3b77f36
2015-02-13 00:49:22 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /1db70f31658d04615bd2ac4751bf6c54
2015-02-13 00:49:25 UTC - 46.166.182.101 - GET /?8a4e1cdfb85545ab7dc0296ada31c189
2015-02-13 00:49:26 UTC - 46.166.182.101 - GET /?aba053bd1f478e9f58ba3a41492dca6c
2015-02-13 00:49:27 UTC - 46.166.182.101 - GET /?9755bf8937a08ea1691cfb1d06e68693
2015-02-13 00:49:59 UTC - 46.166.182.101 - GET /?70c3af605f00b077c895dd9ff6756aad
2015-02-13 00:50:02 UTC - 46.166.182.101 - GET /?3044f2605deec94ba1c60eaaaba728a9
2015-02-13 00:50:03 UTC - 46.166.182.101 - GET /?81f7cef08a0a5570e7f43f44c2c66ddc
2015-02-13 00:50:03 UTC - 46.166.182.101 - GET /?18da21ef5ad8840bbb2800f21f66e235
2015-02-13 00:50:25 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /?2654434052544748554a47524308414949414a430845494b
2015-02-13 00:50:29 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /d8b7bd0646ae4b7344ff9e7df3b77f36
2015-02-13 00:50:29 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /1db70f31658d04615bd2ac4751bf6c54
2015-02-13 00:51:10 UTC - 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols.in - GET /1db70f31658d04615bd2ac4751bf6c54
2015-02-13 00:51:13 UTC - 46.166.182.101 - GET /?8a4e1cdfb85545ab7dc0296ada31c189
2015-02-13 00:51:15 UTC - 46.166.182.101 - GET /?aba053bd1f478e9f58ba3a41492dca6c
2015-02-13 00:51:19 UTC - 46.166.182.101 - GET /?9755bf8937a08ea1691cfb1d06e68693
2015-02-13 00:51:23 UTC - 46.166.182.101 - GET /?70c3af605f00b077c895dd9ff6756aad
2015-02-13 00:51:23 UTC - 46.166.182.101 - GET /?3044f2605deec94ba1c60eaaaba728a9
2015-02-13 00:51:24 UTC - 46.166.182.101 - GET /?81f7cef08a0a5570e7f43f44c2c66ddc
2015-02-13 00:51:24 UTC - 46.166.182.101 - GET /?18da21ef5ad8840bbb2800f21f66e235

POST-INFECTION TRAFFIC:

See the preliminary malware analysis for the post-infection traffic.

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

46.166.182.101 port 80 - ETPRO CURRENT_EVENTS DRIVEBY Magnitude Landing Dec 03 2014 (sid:2809273)
46.166.182.101 port 80 - ETPRO CURRENT_EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014 (sid:2809275)
46.166.182.101 port 80 - ET CURRENT_EVENTS NeoSploit - TDS (sid:2015665)
46.166.182.101 port 80 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013 (sid:2017694)
46.166.182.101 port 80 - ET MALWARE Possible Windows executable sent when remote host claims to send html content (sid:2009897)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

46.166.182.101 port 80 - [1:29189:1] EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (x14)
46.166.182.101 port 80 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (x8)
46.166.182.101 port 80 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download (x4)
46.166.182.101 port 80 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download (x4)
46.166.182.101 port 80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x8)
46.166.182.101 port 80 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name: 2015-02-13-Magnitude-EK-flash-exploit.swf
File size: 19.2 KB ( 19658 bytes )
MD5 hash: c7dce4408ce25a91971bf2c76a30c7b3
Detection ratio: 2 / 56
First submission: 2015-02-13 19:42:16 UTC
VirusTotal link: https://www.virustotal.com/en/file/4602e734035ab8ed5d2e5e3f33d3039b263585ddec54e75eb17bbfef588f3064/analysis/

MALWARE PAYLOAD 1 OF 4 - CRYPTOWALL 3.0:

File name: 2015-02-13-Magnitude-EK-payload-1-of-4-CryptoWall-3.0.exe
File size: 157.0 KB ( 160768 bytes )
MD5 hash: ac9f5c52e3f97fc07114050c05ee5fff
Detection ratio: 22 / 56
First submission: 2015-02-13 19:40:20 UTC
VirusTotal link: https://www.virustotal.com/en/file/c5bf64c7c0b5ea729e487275f026f0fe866299152ff5d1789739db39b3aca602/analysis/
Malwr link: https://malwr.com/analysis/MDhmMGM1N2ZmMjk5NGE5ODhhOTA1MWUwNDBlNDkxYTc/
Bitcoin address for ransomware payment: 1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy

Post-infection traffic:

2015-02-13 19:41:43 UTC - 188.165.164.184 port 80 - ip-addr.es GET /

2015-02-13 19:41:44 UTC - 72.29.73.163 port 80 - captainblowdri.com - POST /img4.php?u=p031cd8b8fyu

2015-02-13 19:41:52 UTC - 72.29.73.163 port 80 - captainblowdri.com - POST /img4.php?t=k2n6a8k25ga4x

2015-02-13 19:41:59 UTC - 72.29.73.163 port 80 - captainblowdri.com - POST /img4.php?v=6vtl146l07kgo2

Snort events:

72.29.73.163 port 80 - ET TROJAN CryptoWall Check-in (sid:2018452)

MALWARE PAYLOAD 2 OF 4 - REDYMS/RAMDO VARIANT:

File name: 2015-02-13-Magnitude-EK-payload-2-of-4-Redyms-Ramdo.exe
File size: 222.8 KB ( 228176 bytes )
MD5 hash: 438969a9134912de002c60e8c32ddf36
Detection ratio: 5 / 57
First submission: 2015-02-13 19:40:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/6ba1b80c826536f75403d31d720c7d09affd00d17fc87863c151f4bf7923bba0/analysis/
Malwr link: https://malwr.com/analysis/OTBiY2FiY2UxMDllNDYxMTk3OWJlYzBlNDMwMTQzNDM/
Post-infection traffic:

2015-02-13 19:45:09 UTC - 64.233.168.99 port 80 - www.google.com - GET /

2015-02-13 19:45:09 UTC - DNS request for: ywoqmcmwuqgysmcw.org [repeats - response: Server failure]

2015-02-13 19:45:19 UTC - 64.233.168.99 port 80 - www.google.com - GET /

2015-02-13 19:46:06 UTC - DNS request for: iqumgmcqwuqgaaus.org [repeats - response: No such name]

2015-02-13 19:46:06 UTC - 64.233.168.99 port 80 - www.google.com - GET /

2015-02-13 19:46:53 UTC - 166.78.144.80 port 80 - sksqqagakeicoeso.org - POST /

2015-02-13 19:46:53 UTC - 64.233.168.99 port 80 - www.google.com - GET /

2015-02-13 19:47:40 UTC - 192.42.116.41 port 80 - uoewuismooowgcui.org - POST /

2015-02-13 19:47:40 UTC - 64.233.168.99 port 80 - www.google.com - GET /

2015-02-13 19:48:29 UTC - 77.120.158.57 port 80 - uociwiiqgmqwwmkq.org - POST /

2015-02-13 19:48:31 UTC - 77.120.158.57 port 80 - uociwiiqgmqwwmkq.org - GET /04.cab

2015-02-13 19:48:31 UTC - 77.120.158.57 port 80 - uociwiiqgmqwwmkq.org - GET /04.cab

Snort events:

www.google.com - port 80 - ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com) (sid:2018430)

www.google.com - port 80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)

66.78.144.80 port 80 - ET TROJAN Connection to Georgia Tech Sinkhole IP (Possible Infected Host) (sid:2016994)

66.78.144.80 port 80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)

192.42.116.41 port 80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)

77.120.158.57 port 80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)

66.78.144.80 port 80 - ET TROJAN Known Sinkhole Response Header (sid:2016803)

192.42.116.41 port 80 - ET TROJAN Known Sinkhole Response Header (sid:2016803)

www.google.com - port 80 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute [**]
66.78.144.80 port 80 - [1:30547:2] MALWARE-CNC Win.Trojan.Ramdo variant outbound connection

192.42.116.41 port 80 - [1:30547:2] MALWARE-CNC Win.Trojan.Ramdo variant outbound connection

77.120.158.57 port 80 - [1:30547:2] MALWARE-CNC Win.Trojan.Ramdo variant outbound connection

66.78.144.80 port 80 - [1:25018:3] BLACKLIST Connection to malware sinkhole

192.42.116.41 port 80 - [1:30320:1] BLACKLIST Connection to malware sinkhole

MALWARE PAYLOAD 3 OF 4 - ZBOT/BUNITU VARIANT:

File name: 2015-02-13-Magnitude-EK-payload-3-of-4-Zbot-Bunitu.exe
File size: 92.0 KB ( 94208 bytes )
MD5 hash: 9313462ed56d4c35b718b098d30713b0
Detection ratio: 16 / 57
First submission: 2015-02-13 19:40:44 UTC
VirusTotal link: https://www.virustotal.com/en/file/d1b2935d1ed9a163394bcb63c9ca8e71bb0861430b477c0eba29962691de80dd/analysis/
Malwr link: https://malwr.com/analysis/NzU4YTI4ZTU5NTc2NGE0N2FjNjk1NmFjYTEzNWYwZjE/
Post-infection traffic:

2015-02-13 19:44:24 UTC - 95.211.233.121 port 53 - [TCP] GET /adpick/garden?src=FB99A2B52D9B7E85AA&xbtn=y&platform=android&[long string]

2015-02-13 19:44:25 UTC - 66.199.229.91 port 53 - [TCP] POST /api/v1/sessionStart

2015-02-13 19:44:27 UTC - 85.17.143.84 port 53 - [TCP] TCP non-ASCII data

2015-02-13 19:44:28 UTC - 76.73.102.74 port 53 - [TCP] TCP non-ASCII data, continues throughout pcap

2015-02-13 19:44:55 UTC - 67.21.4.136 port 80 - hs.aarki.net GET /adpick/garden?src=FB99A2B52D9B7E85AA&xbtn=y&platform=android&[long string]

2015-02-13 19:44:56 UTC - 67.21.4.136 port 80 - hs.aarki.net GET /garden_content?src=FB99A2B52D9B7E85AA&xbtn=y&platform=android&[long string]

2015-02-13 19:45:11 UTC - 54.243.36.223 port 80 - api.vungle.com - POST /api/v1/sessionStart

2015-02-13 19:47:47 UTC - 95.211.121.18 port 80 - whoer.net - GET / [other associated HTTP GET requests]

2015-02-13 19:48:08 UTC - 208.82.236.242 port 80 - houston.craigslist.org - GET /pet/4890210854.html [other associated HTTP GET requests]

Snort events:

95.211.233.121 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)

66.199.229.91 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)

85.17.143.84 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)

76.73.102.74 port 53 - ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (sid:2807561)

85.17.143.84 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection

76.73.102.74 port 53 - [1:28996:4] MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (more than 8000 hits)

MALWARE PAYLOAD 4 OF 4 - SIMDA:

File name: 2015-02-13-Magnitude-EK-payload-4-of-4-Simda.exe
File size: 838.0 KB ( 858112 bytes )
MD5 hash: 69f27b07404cf9c51dd2d2e40fca4d65
Detection ratio: 16 / 56
First submission: 2015-02-13 19:40:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/5617238b8d3b232f0743258b89720bb04d941278253e841ee9cbf863d0985c32/analysis/
Malwr link: https://malwr.com/analysis/MDJjYjUzZjhkMTFjNGQ1ZGI5ZGJhZGRjNGU5ODhmYzM/
Post-infection traffic:

2015-02-13 19:42:35 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?793c79u31=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:35 UTC - 217.23.12.63 port 80 - report.55c5555gmy5555i.com - POST /

2015-02-13 19:42:35 UTC - 217.23.12.63 port 80 - update.znutcptzo.com - GET /?tn=ka2glJbalV6wpdmryaGoqtRkm5%2Bg2q[long string of characters]

2015-02-13 19:42:35 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?IQG143=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:36 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?1k9yWS920=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:36 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?1y9c17u17=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:36 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?uO93m758=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:36 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?31eIQ55=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:41 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?9317aA116=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:42:52 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?k3y79309=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:43:02 UTC - 204.79.197.200 port 80 - www.bing.com - GET /chrome/report.html?5s55s=%9B%EE%EDk%D9%DF%C6%[long string of characters]

2015-02-13 19:43:02 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?mY317925=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:43:02 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?I1qG57=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:43:02 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?55c5sK563=%96%9D%A0%9F%A7%DA%[long string of characters]

2015-02-13 19:43:03 UTC - 79.142.66.239 port 80 - report.55c5555gmy5555i.com - GET /?931y918=%96%9D%A0%9F%A7%DA%[long string of characters]

Snort events:

79.142.66.239 port 80 - ET TROJAN Simda.C Checkin (sid:2016300)

217.23.12.63 port 80 - ETPRO TROJAN Backdoor.Win32.Simda.abpn Checkin (sid:2807145)

79.142.66.239 port 80 - [1:22937:5] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection

217.23.12.63 port 80 - [1:26212:2] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection

www.bing.com - [1:20661:4] MALWARE-CNC Simbda variant outbound connection

www.bing.com - [1:25038:2] BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt

SCREENSHOTS FROM THE TRAFFIC

From the CryptoWall 3.0 sample:

FINAL NOTES

Once again, here are the associated files:

ZIP of the pcap: 2015-02-13-Magnitude-EK-traffic.pcap.zip
ZIP of the malware: 2015-02-13-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.