• This is a quick example of one instance from earlier this month (2015-03-07)
Compromised Domain and Infection Chain
  • 2015-03-07 19:44:37 UTC www.payingdays.net - 31.3.242.101 - GET /
  • 2015-03-07 19:44:38 UTC e291f1e.425f317.5a.bc.74ce39c.cc2fd.bc.sy32630z8cz4.meritslisted.in - 95.215.60.71 - GET /
Magnitude EK
  • 2015-03-07 19:44:39 UTC e291f1e.425f317.5a.bc.74ce39c.cc2fd.bc.sy32630z8cz4.meritslisted.in - 95.215.60.71 - GET /611508a47d6a56bd38fd2ea1f86ae1f3
  • 2015-03-07 19:44:40 UTC e291f1e.425f317.5a.bc.74ce39c.cc2fd.bc.sy32630z8cz4.meritslisted.in - 95.215.60.71 - GET /18f30016ba19d280f8bb49e69d03e0c3
  • 2015-03-07 19:45:04 UTC 95.215.60.71 - 95.215.60.71 - GET /?5c7459e89ac03b56e1a5924b19275b9e
  • 2015-03-07 19:45:06 UTC 95.215.60.71 - 95.215.60.71 - GET /?0a71e791ca4b5725a690551f958705b0
  • 2015-03-07 19:45:06 UTC 95.215.60.71 - 95.215.60.71 - GET /?9e2e730a949b54954567fea82c79d8fd
  • 2015-03-07 19:45:07 UTC 95.215.60.71 - 95.215.60.71 - GET /?28ace4801bead214d4254c89055ca07e
  • 2015-03-07 19:45:07 UTC 95.215.60.71 - 95.215.60.71 - GET /?b68570d05fefa19f1af08e654ee8fd86
  • 2015-03-07 19:45:08 UTC 95.215.60.71 - 95.215.60.71 - GET /?43a0fd3369b68d7282ceca429343327c
  • 2015-03-07 19:45:08 UTC 95.215.60.71 - 95.215.60.71 - GET /?de4ce42e230d15344a68c9d7ffc5feea

    [Repeat of this traffic pattern]
Post-Infection Traffic
  • 2015-03-07 19:45:07 UTC ip-addr.es - 188.165.164.184 - GET /
  • 2015-03-07 19:45:07 UTC ouarzazateonline.com - 216.55.179.136 - POST /img3.php?s=y2cdi35holsojaz
  • 2015-03-07 19:45:23 UTC ouarzazateonline.com - 216.55.179.136 - POST /img3.php?r=53r6a49t2ae
  • 2015-03-07 19:45:31 UTC ouarzazateonline.com - 216.55.179.136 - POST /img3.php?p=8qjd1dx1v03
  • 2015-03-07 19:46:11 UTC ouarzazateonline.com - 216.55.179.136 - POST /img3.php?u=3te4ap1f643
  • 2015-03-07 19:46:21 UTC ip-addr.es - 188.165.164.184 - GET /
  • 2015-03-07 19:46:21 UTC ehcc.us - 67.222.36.179 - POST /img4.php?o=wftmg63y2o71y
  • 2015-03-07 19:46:21 UTC box506.bluehost.com - GET /suspended.page/disabled.cgi/precious1.org?0=wftmg63y2o71y
  • 2015-03-07 19:46:22 UTC ferienwohnungen-diana.com - 193.46.215.131 - POST /img1.php?t=wftmg63y2o71y
  • 2015-03-07 19:46:26 UTC ouarzazateonline.com - 216.55.179.136 - POST /img4.php?u=vjcgxqbbeee21f
  • 2015-03-07 19:46:26 UTC ehcc.us - 67.222.36.179 - POST /img4.php?o=vjcgxqbbeee21f
  • 2015-03-07 19:46:26 UTC box506.bluehost.com - GET /suspended.page/disabled.cgi/precious1.org?u=vjcgxqbbeee21f
  • 2015-03-07 19:46:26 UTC ferienwohnungen-diana.com - 193.46.215.131 - POST /img1.php?m=vjcgxqbbeee21f
IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-03-07 19:44:38 UTC 95.215.60.71:80 -> 192.168.30.10:1037 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-03-07 19:44:39 UTC 192.168.30.10:1038 -> 95.215.60.71:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-03-07 19:44:40 UTC 95.215.60.71:80 -> 192.168.30.10:1039 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-07 19:45:04 UTC.312486 192.168.30.10:1045 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:04 UTC.312486 192.168.30.10:1045 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:04 UTC 95.215.60.71:80 -> 192.168.30.10:1045 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-07 19:45:06 UTC 192.168.30.10:1046 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:06 UTC 192.168.30.10:1046 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:06 UTC 192.168.30.10:1047 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:06 UTC 192.168.30.10:1047 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:07 UTC 192.168.30.10:1048 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:07 UTC 192.168.30.10:1048 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:07 UTC 192.168.30.10:1049 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:07 UTC 192.168.30.10:1049 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:07 UTC 192.168.30.10:1052 -> 216.55.179.136:80 - ET TROJAN CryptoWall Check-in
2015-03-07 19:45:08 UTC 192.168.30.10:1051 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:08 UTC 192.168.30.10:1051 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:08 UTC 192.168.30.10:1053 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:08 UTC 192.168.30.10:1053 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:10 UTC 95.215.60.71:80 -> 192.168.30.10:1056 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-07 19:45:23 UTC 192.168.30.10:1057 -> 216.55.179.136:80 - ET TROJAN CryptoWall Check-in
2015-03-07 19:45:31 UTC 192.168.30.10:1058 -> 216.55.179.136:80 - ET TROJAN CryptoWall Check-in
2015-03-07 19:45:50 UTC 192.168.30.10:1060 -> 95.215.60.71:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-07 19:45:50 UTC 192.168.30.10:1060 -> 95.215.60.71:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-07 19:45:50 UTC 95.215.60.71:80 -> 192.168.30.10:1060 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
[Traffic pattern continues to repeat]

Preliminary Malware Analysis

Flash Exploit

Magnitude EK Payload -> CryptoWall 3.0

CryptoWall 3.0 help page / decrypt service

Bitcoin wallet of this address is empty: https://blockchain.info/address/1FNV8WiPXAb6CQWJSoFVLkMNQi8cAdmUBh

IDS Alerts using the Emerging Threats Pro Ruleset from a lab machine running the CryptoWall payload
2015-03-23 22:59:39 10.10.10.104:49191 -> 199.204.44.246:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:46 10.10.10.104:49197 -> 199.204.44.246:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:39 10.10.10.104:49190 -> 67.222.36.179:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:46 10.10.10.104:49196 -> 67.222.36.179:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:42 10.10.10.104:49192 -> 182.50.142.7:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:42 10.10.10.104:49194 -> 199.204.44.246:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:39 10.10.10.104:49189 -> 188.165.164.184:80 - ET POLICY Possible IP Check ip-addr.es
2015-03-23 22:59:42 10.10.10.104:49193 -> 67.222.36.179:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:50 10.10.10.104:49198 -> 182.50.142.7:80 - ET TROJAN CryptoWall Check-in
2015-03-23 22:59:46 10.10.10.104:49195 -> 182.50.142.7:80 - ET TROJAN CryptoWall Check-in
2015-03-23 23:00:07 10.10.10.104:49202 -> 182.50.142.7:80 - ET TROJAN CryptoWall Check-in
2015-03-23 23:00:04 10.10.10.104:49201 -> 199.204.44.246:80 - ET TROJAN CryptoWall Check-in
2015-03-23 23:05:26 10.10.10.104:63450 -> 10.10.10.1:53 - ET TROJAN Cryptowall 3.0 .onion Proxy Domain
2015-03-23 23:05:26 10.10.10.104:63450 -> 10.10.10.1:53 - ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)
2015-03-23 23:00:04 10.10.10.104:49200 -> 67.222.36.179:80 - ET TROJAN CryptoWall Check-in

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates