2014-05-01 - MAGNITUDE EK FROM 193.169.245[.]10 - AFTERNOONRIDE[.]PW

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-05-01-Magnitude-EK-traffic.pcap.zip

NOTE: This one's a relatively quick post for situational awareness.  I didn't extract or deobfuscate any of the malware from the PCAP.

PREVIOUS MAGNITUDE EK:

• 2014-01-14 - Magnitude EK from 66.55.140[.]115 - 73373e4.13f8.0caad.991f.004.a8a.5d1.1f0.sknhzkfjldkp.lunchdoors[.]pw
• 2014-03-12 - Magnitude EK from 67.196.49[.]168 - 6b0543.e3fb5.c8.5b9.b0fc2e9.53.cd0.b7.df.unnujshair.smallestpieces[.]pw
• 2014-03-23 - Magnitude EK from 67.196.50[.]153 - 27.e97a7fd.4e.15b.6f7.ca0726.6f2744.f70.pidzfnbzozvj.pendates[.]in
• 2014-03-25 - Magnitude EK from 67.196.50[.]155 - 3ee0b.6b5.ed93d77.9e88.d4f0e.cf49a.79f.hsyeekqwnyd.dumprelated[.]in
• 2014-04-14 - Magnitude EK from 67.196.3[.]65 - 9b5ef08.e9b.1c34d5.379b.0078.5638.0cd0.rpaitxocww.dumpequally.net
• 2014-04-15 - Magnitude EK from 67.196.3[.]66 - 44d.c07.5d7.5ce6.17c4.96d.0038dec.aeea6.ujxadmcithxz.suggestinglots[.]in
• 2014-04-16 - Magnitude EK from 67.196.3[.]67 - 40909.e877985.75beb1.3126.2759.b7f5b.3.ymxgizns.poundswhose[.]in
• 2014-04-17 - Magnitude EK from 67.196.3[.]69 - b33715e.1f.de4ce9b.1ed.d0303ec.b7d939.yccgnkggdknu.referredknew[.]in
• 2014-04-26 - Magnitude EK from 193.169.245[.]5 - 2decc.1a9d.d3.f93b0bf.a9c.efe7f.64f6d5.yfbxhpbig.feelchips[.]in
• 2014-04-30 - Magnitude EK from 193.169.245[.]10 - 5cfe1.df.0572.77bbe0.d22.4a03.29246d.0c.hjyagwtu.safehe[.]in
• 2014-05-01 - Magnitude EK from 193.169.245[.]10 - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 176.9.142[.]218 - trueradio[.]ru - Compromised website
• 144.76.161[.]34 - seror31.wha[.]la - Redirect
• 193.169.245[.]10 - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - Magnitude EK

COMPROMISED WEBSITE AND REDIRECT:

• 02:57:13 UTC - 176.9.142[.]218 - trueradio[.]ru - GET /
• 02:57:22 UTC - 144.76.161[.]34 - seror31.wha[.]la - GET /zxzzzzzdddff/?id=ts

MAGNITUDE EK:

• 02:57:24 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /
• 02:57:29 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/397d1488393621542bce5ae025b6fe45
• 02:57:34 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/92dfa2da4d8cf7fb7b4309b7926eacaa
• 02:57:34 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/8b804638ac7861d89fea0ac6f32b31c5
• 02:57:35 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/8b804638ac7861d89fea0ac6f32b31c5
• 02:57:35 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/05cbf90556b6736d49ba98caa66169a2
• 02:57:35 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/05cbf90556b6736d49ba98caa66169a2
• 02:57:36 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/8b804638ac7861d89fea0ac6f32b31c5
• 02:57:36 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/0
• 02:57:37 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/8b804638ac7861d89fea0ac6f32b31c5
• 02:57:38 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/qz.class
• 02:57:39 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/qz.class
• 02:57:39 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/qz.class
• 02:57:40 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/qz.class
• 02:57:43 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/1
• 02:57:45 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/2
• 02:57:47 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/3
• 02:57:50 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/4
• 02:57:51 UTC - e2f.18.bc5.465f.90.33c10.26.1e098.26.efee.motbypqfa.afternoonride[.]pw - GET /5c7c809507ba97245ff090987f3c8ecd/5

SOME OF THE POST-INFECTION TRAFFIC:

• 02:58:18 UTC - 72.239.197[.]225 - 72.239.197[.]225 - GET /mod2/5mintyj.exe
• 02:58:34 UTC - 93.77.80[.]138 - 93.77.80[.]138 - GET /mod1/5mintyj.exe
• 02:58:40 UTC - 31.43.181[.]142 - biobetic-new[.]com - GET /b/shoe/54675
• 02:58:40 UTC - 31.43.181[.]142 - biobetic-new[.]com - GET /b/shoe/749634
• 02:58:49 UTC - 109.60.194[.]211 - revolution-start[.]com - GET /components-i7/jquery/
• 02:58:49 UTC - 109.60.194[.]211 - revolution-start[.]com - GET /components-i7/jquery/
• 02:59:33 UTC - 108.59.251[.]118 - aoneteleshop[.]com - GET /images/dummy/heap170id3.exe
• 03:00:35 UTC - 37.57.124[.]144 - revolution-start[.]com - GET /jshop-i9/soft64.dll
• 03:01:00 UTC - 109.60.194[.]211 - harm-causer[.]com - GET /b/eve/3333a740fc215ad737df67f6

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-01 02:57:23 UTC - [local host]:53 - ET INFO DNS Query to a *.pw domain - Likely Hostile
• 2014-05-01 02:57:24 UTC - 193.169.245[.]10:80 - ET INFO HTTP Request to a *.pw domain
• 2014-05-01 02:57:25 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013
• 2014-05-01 02:57:29 UTC - 173.194.46[.]73:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-05-01 02:57:30 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK
• 2014-05-01 02:57:34 UTC - 193.169.245[.]10:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-05-01 02:57:34 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013
• 2014-05-01 02:57:34 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass
• 2014-05-01 02:57:34 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Possible J7u21 click2play bypass
• 2014-05-01 02:57:35 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
• 2014-05-01 02:57:35 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 2014-05-01 02:57:35 UTC - 193.169.245[.]10:80 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-05-01 02:57:36 UTC - 193.169.245[.]10:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request
• 2014-05-01 02:58:18 UTC - 72.239.197[.]225:80 - ET INFO Exectuable Download from dotted-quad Host
• 2014-05-01 02:58:18 UTC - 72.239.197[.]225:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure 2
• 2014-05-01 02:58:18 UTC - 72.239.197[.]225:80 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
• 2014-05-01 02:58:22 UTC - 72.239.197[.]225:80 - ET TROJAN Suspicious double Server Header
• 2014-05-01 02:58:22 UTC - 72.239.197[.]225:80 - ET POLICY PE EXE or DLL Windows file download
• 2014-05-01 02:58:23 UTC - 72.239.197[.]225:80 - GPL SHELLCODE x86 NOOP
• 2014-05-01 02:58:22 UTC - 72.239.197[.]225:80 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
• 2014-05-01 02:58:22 UTC - 72.239.197[.]225:80 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-05-01 02:58:47 UTC - 93.77.80[.]138:80 - ET TROJAN Suspicious double Server Header
• 2014-05-01 02:58:48 UTC - 93.77.80[.]138:80 - ET POLICY PE EXE or DLL Windows file download
• 2014-05-01 02:58:47 UTC - 93.77.80[.]138:80 - ET INFO EXE Download With Content Type Specified As Empty
• 2014-05-01 02:58:47 UTC - 93.77.80[.]138:80 - ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header
• 2014-05-01 02:58:47 UTC - 93.77.80[.]138:80 - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
• 2014-05-01 02:58:58 UTC - 109.60.194[.]211:80 - ET POLICY PE EXE or DLL Windows file download
• 2014-05-01 02:58:58 UTC - 109.60.194[.]211:80 - GPL SHELLCODE x86 NOOP
• 2014-05-01 02:58:58 UTC - 109.60.194[.]21:80 - ET INFO EXE - Served Attached HTTP
• 2014-05-01 02:58:58 UTC - 109.60.194[.]211:80 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
• 2014-05-01 02:59:33 UTC - 108.59.251[.]118:80 - ET TROJAN GENERIC Zbot Based Loader
• 2014-05-01 02:59:33 UTC - 108.59.251[.]118:80 - ET POLICY PE EXE or DLL Windows file download
• 2014-05-01 03:01:00 UTC - 109.60.194[.]211:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon
• 2014-05-01 03:01:01 UTC - 109.60.194[.]211:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement

 

Click here to return to the main page.