Quick Notes:
  • This is an overview of a series of Magnitude EK -> CryptoWall 3.0 infections by what appears to be the same person(s) between March and April
  • The first instance of these 6 domains resulted in a CryptoWall and Simda.C infection, however all other instances show only CryptoWall 3.0 as the only payload
  • Some of the Bitcoin Wallets were unavailable, as the C2 servers were down, but some wallets showed positive transactions
  • After about a month of the creation/usage of the malicious domains, the owner(s) then began using the IP Addresses of the malicious domains to host the Magnitude EK pages
  • Based on this report it appears this person(s) here may be connected (using Passive DNS records)
  • Below this top section is the full details of each observance, along with PCAPs and Malware Samples for each one individually

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates

Observed Infrastructure Used
All of the malicious domains redirecting to Magnitude EK were found on the same net block of 31.3.242.0/19 which is owned by Redstation, a UK based hosting provider. All 6 of the observed domains follow a similar naming convention revolving around "paying(-)day(s)" using various top-level domains. All 6 malicious domains utilized the same two name servers (NS1.JINO.RU, NS2.JINO.RU) belonging to Jino, a Russian hosting company. Registration of the IP Addresses utilized in this campaign also seem to be related to one another as such:

  • 2 IP Addresses hosting the Exploit Kit/Payload were located on the same netblock of 217.172.189.0/24 (owned by PlusServer, a German hosting provider)
  • 3 IP Addresses hosting the Exploit Kit/Malware were located on the same netblock of 95.215.60.0/22 (owned by SoloGigabit, a Spanish hosting provider)
  • 1 IP Address hosting the Exploit Kit/Malware IP Addresses were from 136.243.241.21 (owned by SteadyHost, a Russian hosting provider)

Here is a visual of the various infrastructure observed, showing some of the connections:

Method of Delivery
Each domain observed under the 31.3.242.0/19 netblock associated with this campaign was utilizing a 302 redirect to send unsuspecting visitors to the Magnitude EK landing page. It is interesting to note that each domain did not host actual content, just the 302 redirection, potentially indicating these domains were spun up for the specific purpose of sending visitors to the Magnitude EK landing page (as opposed to compromising an already functioning domain). Once the user hits the landing page, a Flash Exploit (CVE-2015-0311) is sent, as well as a browser exploit for Internet Explorer. It is important to point out, that in each instance, the same IP Address hosting Magnitude EK would also be where the malware payload came from. If the exploit was successful, the payload is dropped on the machine and executed. Pending successful installation on the infected host and successful communication with the CryptoWall 3.0 C2 servers, the machine would be fully infected with the files encrypted. At this point, the user is prompted to pay the Bitcoin ransom to decrypt their files.

Further Looking
When gathering more information on the owners of these malicious domains, WHOIS provided to be a dead end, as there was WHOIS guard protection on all of them. Additionally, looking into the WHOIS information for the Magnitude EK domains showed more WHOIS guarded information. But, eventually, I came across some that weren't WHOIS guard protected. Furthermore, after using VirusTotal's Passive DNS tool I was able to connect these to hundreds of other Magnitude EK landing pages further showing the relationship between these observations. Obviously, this does not mean this particular person is doing the dirty work on the back end, but it serves as a good jumping off point to continue down that rabbit hole. Every single Magnitude EK IP Address in this campaign belongs to this individual (Note: I omitted some fields that were empty for brevity):

Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)  
Status:CLIENT DELETE PROHIBITED  
Status:CLIENT HOLD  
Status:CLIENT RENEW PROHIBITED  
Status:CLIENT TRANSFER PROHIBITED  
Status:CLIENT UPDATE PROHIBITED  
Registrant ID:WIQ_38723585  
Registrant Name:Vasiliy Serov  
Registrant Organization:N/A  
Registrant Street1:Kirovskaya 83  
Registrant City:Moskva  
Registrant State/Province:Moskovskaya oblast  
Registrant Postal Code:106625  
Registrant Country:US  
Registrant Phone:+7.4955168510  
Registrant Email:serovvasil@aol.com  

Timeline of Events:
2014-10-15 - 31.3.242.103 - payingdays.org - First observation of a created 'payingdays' domain based on VirusTotal Passive DNS records, and WHOIS record
2015-03-04 - 31.3.242.101 - payingdays.net - Creation of domain
2015-03-05 - 31.3.242.101 - payingdays.net - First observation/pcap of the 'payingdays' domain used inconjunction with Magnitude EK & CryptoWall 3.0 & Simda
2015-03-05 - 31.3.242.103 - payingdays.me - Creation of domain
2015-03-05 - 31.3.242.103 - payingdays.me - Observation/pcap of domain leading to Magnitude EK & CryptoWall 3.0
2015-03-09 - 31.3.242.100 - payingday.net - Creation of domain
2015-03-09 - 31.3.242.100 - payingday.net - Observation/pcap of domain leading to Magnitude EK & CryptoWall 3.0
2015-03-09 - 31.3.242.103 - payingday.biz - Creation of domain
2015-03-21 - 31.3.242.103 - payingday.biz - Observation/pcap of domain leading to Magnitude EK & CryptoWall 3.0
2015-03-29 - 31.3.242.106 - paying-days.com - Creation of domain
2015-03-29 - 31.3.242.100 - paying-days.net - Creation of domain
2015-04-02 - 31.3.242.106 - paying-days.com - Observation/pcap of domain leading to Magnitude EK & CryptoWall 3.0
2015-04-03 - 31.3.242.100 - paying-days.net - Observation/pcap of domain leading to Magnitude EK & CryptoWall 3.0
2015-04-21 - 31.3.242.100 - IP Address becomes the host of Magnitude EK domains
2015-04-22 - 31.3.242.101 - IP Address becomes the host of Magnitude EK domains
2015-04-24 - 31.3.242.103 - IP Address becomes the host of Magnitude EK domains
2015-04-27 - 31.3.242.106 - IP Address becomes the host of Magnitude EK domains

Final Thoughts
This was more of an exercise in viewing the activities of someone/some people over time and seeing what connections could be made. Typically, I analyze individual instances, so it was fun to expand it across a more connected campaign. Based on the observed evidence, I am concluding that the same person(s) were utilizing these similar domain names and methods to pass CryptoWall 3.0 to the victim(s). I did not see the delivery method of any of these attacks, but one method could be a link in spam messages that if clicked on sends the user to the malicious domains. This is different than the usual watering hole attack of compromising a frequently trafficked/legitimate domain. Additionally, I could see this infection chain being useful in malvertising, due to the quick 302 redirect to the Magnitude EK Landing page. Furthermore, based on analysis of the Bitcoin Wallets associated with some of the CryptoWall 3.0 samples, it appears this campaign was relatively successful, as nearly 13 BTC were observed transferred into them.

Network Traffic and Malware Analysis
2015-04-03 - paying-days.net

Network Traffic
2015-04-03 21:53:11 UTC - 31.3.242.100 - paying-days.net - Malicious Domain / Redirection
2015-04-03 21:53:12 UTC - 217.172.189.239 - 6e552d8.7f2.fe.477fc.58.d6.c8.6e6c.df3.7b.aiqk05syj176.monthsacts.pw - Magnitude EK Landing Page
2015-04-03 21:53:39 UTC - 217.172.189.239 - 217.172.189.239 - Malware Download
2015-04-03 20:53:44 UTC - 188.165.164.184 - ip-addr.es - Malware Info Beacon
2015-04-03 20:53:44 UTC - 85.92.144.16 - sloeponline.org - Post-Infection traffic
2015-04-03 20:53:47 UTC - 150.107.31.55 - chonburipalms.com - Post-Infection Traffic (CryptoWall 3.0)
2015-04-03 20:54:21 UTC - 49.50.8.213 - hicoop.com - Post-Infection Traffic (CryptoWall 3.0)
2015-04-03 20:55:12 UTC - 103.31.233.237 - katadata.com - Post-Infection Traffic (CryptoWall 3.0)
2015-04-03 20:55:19 UTC - 46.242.145.92 - uaru.net - Post-Infection Traffic (CryptoWall 3.0)

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7
2015-04-03 21:53:12 UTC - 217.172.189.239:80 -> 192.168.17.10:1037 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-04-03 21:53:12 UTC - 192.168.17.10:1038 -> 217.172.189.239:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-04-03 21:53:13 UTC - 217.172.189.239:80 -> 192.168.17.10:1039 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-04-03 21:53:39 UTC - 192.168.17.10:1045 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:39 UTC - 192.168.17.10:1045 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:40 UTC - 217.172.189.239:80 -> 192.168.17.10:1045 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-04-03 21:53:42 UTC - 192.168.17.10:1046 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:42 UTC - 192.168.17.10:1046 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:42 UTC - 192.168.17.10:1047 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:42 UTC - 192.168.17.10:1047 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:42 UTC - 192.168.17.10:1048 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:42 UTC - 192.168.17.10:1048 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:43 UTC - 192.168.17.10:1049 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:43 UTC - 192.168.17.10:1049 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:43 UTC - 192.168.17.10:1050 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:43 UTC - 192.168.17.10:1050 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:43 UTC - 192.168.17.10:1051 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:53:43 UTC - 192.168.17.10:1051 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:53:44 UTC - 192.168.17.10:1054 -> 85.92.144.16:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:53:45 UTC - 217.172.189.239:80 -> 192.168.17.10:1057 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-04-03 21:53:47 UTC - 192.168.17.10:1058 -> 150.107.31.55:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:54:12 UTC - 192.168.17.10:1061 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:12 UTC - 192.168.17.10:1061 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:12 UTC - 217.172.189.239:80 -> 192.168.17.10:1061 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-04-03 21:54:14 UTC - 192.168.17.10:1062 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:14 UTC - 192.168.17.10:1062 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:15 UTC - 192.168.17.10:1063 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:15 UTC - 192.168.17.10:1063 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:15 UTC - 192.168.17.10:1064 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:15 UTC - 192.168.17.10:1064 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:15 UTC - 192.168.17.10:1065 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:15 UTC - 192.168.17.10:1065 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:16 UTC - 192.168.17.10:1066 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:16 UTC - 192.168.17.10:1066 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:17 UTC - 192.168.17.10:1067 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:54:17 UTC - 192.168.17.10:1067 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:54:20 UTC - 217.172.189.239:80 -> 192.168.17.10:1070 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-04-03 21:54:21 UTC - 192.168.17.10:1071 -> 49.50.8.213:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:54:26 UTC - 192.168.17.10:1072 -> 85.92.144.16:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:54:30 UTC - 192.168.17.10:1073 -> 150.107.31.55:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:54:45 UTC - 217.172.189.239:80 -> 192.168.17.10:1077 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-04-03 21:55:07 UTC - 192.168.17.10:1079 -> 49.50.8.213:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:55:07 UTC - 192.168.17.10:1081 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:07 UTC - 192.168.17.10:1081 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:07 UTC - 217.172.189.239:80 -> 192.168.17.10:1081 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-04-03 21:55:09 UTC - 192.168.17.10:1082 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:09 UTC - 192.168.17.10:1082 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:09 UTC - 192.168.17.10:1083 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:09 UTC - 192.168.17.10:1083 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:10 UTC - 192.168.17.10:1084 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:10 UTC - 192.168.17.10:1084 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:10 UTC - 192.168.17.10:1085 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:10 UTC - 192.168.17.10:1085 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:10 UTC - 192.168.17.10:1086 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:10 UTC - 192.168.17.10:1086 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:11 UTC - 192.168.17.10:1087 -> 217.172.189.239:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-03 21:55:11 UTC - 192.168.17.10:1087 -> 217.172.189.239:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-03 21:55:12 UTC - 192.168.17.10:1089 -> 103.31.233.237:80 - ET TROJAN CryptoWall Check-in
2015-04-03 21:55:19 UTC - 192.168.17.10:1090 -> 46.242.145.92:80 - ET TROJAN CryptoWall Check-in

2015-04-02 - paying-days.com

Network Traffic:
2015-04-02 20:39:29 UTC - 31.3.242.106 - paying-days.com - Malicious Domain / Redirection
2015-04-02 20:39:30 UTC - 217.172.189.238 - 23bc.f1e.8198117.4140.640.e6.1c836.aa5a.y4p52s21bnb.adoptsmaterial.pw - Magnitude EK Landing Page
2015-04-02 20:40:06 UTC - 217.172.189.238 - 217.172.189.238 - Malware Download
2015-04-02 20:40:12 UTC - 188.165.164.184 - ip-addr.es - Malware Info Beacon
2015-04-02 20:40:17 UTC - 64.34.157.174 - alimco.com.co - Post-Infection Traffic (CryptoWall 3.0)

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7
2015-04-02 20:39:30 UTC - 217.172.189.238:80 -> 192.168.49.10:1037 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-04-02 20:39:30 UTC - 192.168.49.10:1038 -> 217.172.189.238:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-04-02 20:39:31 UTC - 217.172.189.238:80 -> 192.168.49.10:1039 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-04-02 20:40:06 UTC - 192.168.49.10:1045 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:06 UTC - 192.168.49.10:1045 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:06 UTC - 217.172.189.238:80 -> 192.168.49.10:1045 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-04-02 20:40:09 UTC - 192.168.49.10:1046 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:09 UTC - 192.168.49.10:1046 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:10 UTC - 192.168.49.10:1047 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:10 UTC - 192.168.49.10:1047 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:10 UTC - 192.168.49.10:1048 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:10 UTC - 192.168.49.10:1048 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:10 UTC - 192.168.49.10:1049 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:10 UTC - 192.168.49.10:1049 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:11 UTC - 192.168.49.10:1050 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:11 UTC - 192.168.49.10:1050 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:11 UTC - 192.168.49.10:1051 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:11 UTC - 192.168.49.10:1051 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-04-02 20:40:13 UTC - 217.172.189.238:80 -> 192.168.49.10:1056 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-04-02 20:40:17 UTC - 192.168.49.10:1057 -> 64.34.157.174:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-04-02 20:40:17 UTC - 192.168.49.10:1057 -> 64.34.157.174:80 - ET TROJAN CryptoWall Check-in
2015-04-02 20:40:31 UTC - 192.168.49.10:1058 -> 64.34.157.174:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-04-02 20:40:31 UTC - 192.168.49.10:1058 -> 64.34.157.174:80 - ET TROJAN CryptoWall Check-in
2015-04-02 20:40:36 UTC - 192.168.49.10:1059 -> 64.34.157.174:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-04-02 20:40:36 UTC - 192.168.49.10:1059 -> 64.34.157.174:80 - ET TROJAN CryptoWall Check-in
2015-04-02 20:40:58 UTC - 192.168.49.10:1061 -> 217.172.189.238:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-04-02 20:40:58 UTC - 192.168.49.10:1061 -> 217.172.189.238:80 - ET CURRENT EVENTS NeoSploit - TDS

2015-03-21 - payingday.biz

Network Traffic:
2015-03-21 20:56:38 UTC - 31.3.242.103 - payingday.biz - Malicious Domain / Redirection
2015-03-21 20:56:39 UTC - 136.243.241.21 - a10.04854f.a9d.01d9.74ecbb.fbc.2883.f52.j77ea490.inchstraining.in - Magnitude EK Landing Page
2015-03-21 20:57:09 UTC - 136.243.241.21 - 136.243.241.21 - Malware Download
2015-03-21 20:57:13 UTC - 182.92.74.222 - geiliyou.com - Post-Infection Traffic (CryptoWall 3.0)

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7
2015-03-21 20:56:39 UTC - 136.243.241.21:80 -> 192.168.61.10:1037 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-03-21 20:56:39 UTC - 192.168.61.10:1038 -> 136.243.241.21:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-03-21 20:56:40 UTC - 136.243.241.21:80 -> 192.168.61.10:1039 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-21 20:57:09 UTC - 192.168.61.10:1045 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:09 UTC - 192.168.61.10:1045 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:09 UTC - 136.243.241.21:80 -> 192.168.61.10:1045 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-21 20:57:11 UTC - 192.168.61.10:1046 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:11 UTC - 192.168.61.10:1046 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:11 UTC - 192.168.61.10:1047 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:11 UTC - 192.168.61.10:1047 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:11 UTC - 192.168.61.10:1048 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:11 UTC - 192.168.61.10:1048 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:12 UTC - 192.168.61.10:1049 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:12 UTC - 192.168.61.10:1049 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:12 UTC - 192.168.61.10:1050 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:12 UTC - 192.168.61.10:1050 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:12 UTC - 192.168.61.10:1051 -> 136.243.241.21:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-21 20:57:12 UTC - 192.168.61.10:1051 -> 136.243.241.21:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-21 20:57:13 UTC - 192.168.61.10:1053 -> 182.92.74.222:80 - ET TROJAN CryptoWall Check-in
2015-03-21 20:57:17 UTC - 192.168.61.10:1054 -> 182.92.74.222:80 - ET TROJAN CryptoWall Check-in
2015-03-21 20:57:25 UTC - 192.168.61.10:1055 -> 182.92.74.222:80 - ET TROJAN CryptoWall Check-in

2015-03-10 - payingday.net

Network Traffic:
2015-03-10 21:11:41 UTC - 31.3.242.100 - payingday.net - Malicious Domain / Redirection
2015-03-10 21:11:43 UTC - 95.215.60.75 - 8c521.8a03680.af2411.c3788c.eb8eba8.c.e5rxa5b3.linesadded.in - Magnitude EK Landing Page
2015-03-10 21:12:06 UTC - 95.215.60.75 - 95.215.60.75 - Malware Download
2015-03-10 21:12:10 UTC - 66.147.242.171 - judora-ng.com - Post-Infection Traffic (CryptoWall 3.0)
2015-03-10 21:12:11 UTC - 217.195.198.180 - tryea.com - Post-Infection Traffic (CryptoWall 3.0)
2015-03-10 21:12:14 UTC - 27.254.81.96 - aseanian.com - Post-Infection Traffic (CryptoWall 3.0)

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7
2015-03-10 21:11:43 UTC - 95.215.60.75:80 -> 192.168.17.10:1037 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-03-10 21:11:44 UTC - 192.168.17.10:1038 -> 95.215.60.75:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-03-10 21:11:44 UTC - 95.215.60.75:80 -> 192.168.17.10:1039 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-10 21:12:06 UTC - 192.168.17.10:1046 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:06 UTC - 192.168.17.10:1046 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:07 UTC - 95.215.60.75:80 -> 192.168.17.10:1046 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-10 21:12:08 UTC - 192.168.17.10:1047 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:08 UTC - 192.168.17.10:1047 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:09 UTC - 192.168.17.10:1048 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:09 UTC - 192.168.17.10:1048 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:09 UTC - 192.168.17.10:1049 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:09 UTC - 192.168.17.10:1049 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:09 UTC - 192.168.17.10:1050 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:09 UTC - 192.168.17.10:1050 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:10 UTC - 192.168.17.10:1051 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:10 UTC - 192.168.17.10:1051 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:10 UTC - 192.168.17.10:1053 -> 95.215.60.75:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-10 21:12:10 UTC - 192.168.17.10:1053 -> 95.215.60.75:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-10 21:12:10 UTC - 192.168.17.10:1054 -> 66.147.242.171:80 - ET TROJAN CryptoWall Check-in
2015-03-10 21:12:11 UTC - 192.168.17.10:1057 -> 217.195.198.180:80 - ET TROJAN CryptoWall Check-in
2015-03-10 21:12:12 UTC - 95.215.60.75:80 -> 192.168.17.10:1058 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-10 21:12:14 UTC - 192.168.17.10:1061 -> 27.254.81.96:80 - ET TROJAN CryptoWall Check-in

2015-03-06 - payingdays.me

Network Traffic:
2015-03-06 19:05:34 UTC - 31.3.242.103 - payingdays.me - Malicious Domain / Redirection
2015-03-06 19:05:37 UTC - 95.215.60.69 - 3db1488.e9fa7.a0.23.d726.4909e.99.494a.4.ccgxn328.callheads.in - Magnitude EK Landing Page
2015-03-06 19:06:23 UTC - 95.215.60.69 - 95.215.60.69 - Malware Download
2015-03-06 19:06:28 UTC - 150.107.31.61 - azquasoft.com - Post-Infection Traffic (CryptoWall 3.0)

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7
2015-03-06 19:05:37 UTC - 95.215.60.69:80 -> 192.168.2.10:1037 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-03-06 19:05:38 UTC - 192.168.2.10:1038 -> 95.215.60.69:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-03-06 19:05:38 UTC - 95.215.60.69:80 -> 192.168.2.10:1039 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-06 19:06:23 UTC - 192.168.2.10:1045 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:23 UTC - 192.168.2.10:1045 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:23 UTC - 95.215.60.69:80 -> 192.168.2.10:1045 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-06 19:06:25 UTC - 192.168.2.10:1046 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:25 UTC - 192.168.2.10:1046 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:25 UTC - 192.168.2.10:1047 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:25 UTC - 192.168.2.10:1047 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:26 UTC - 192.168.2.10:1048 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:26 UTC - 192.168.2.10:1048 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:26 UTC - 192.168.2.10:1049 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:26 UTC - 192.168.2.10:1049 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:26 UTC - 192.168.2.10:1050 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:26 UTC - 192.168.2.10:1050 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:27 UTC - 192.168.2.10:1051 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:06:27 UTC - 192.168.2.10:1051 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:06:28 UTC - 192.168.2.10:1056 -> 150.107.31.61:80 - ET TROJAN CryptoWall Check-in
2015-03-06 19:06:30 UTC - 95.215.60.69:80 -> 192.168.2.10:1057 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-06 19:06:37 UTC - 192.168.2.10:1059 -> 150.107.31.61:80 - ET TROJAN CryptoWall Check-in
2015-03-06 19:06:43 UTC - 192.168.2.10:1060 -> 150.107.31.61:80 - ET TROJAN CryptoWall Check-in
2015-03-06 19:07:02 UTC - 192.168.2.10:1062 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:02 UTC - 192.168.2.10:1062 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:02 UTC - 95.215.60.69:80 -> 192.168.2.10:1062 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-06 19:07:04 UTC - 192.168.2.10:1063 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:04 UTC - 192.168.2.10:1063 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:04 UTC - 192.168.2.10:1064 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:04 UTC - 192.168.2.10:1064 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:04 UTC - 192.168.2.10:1065 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:04 UTC - 192.168.2.10:1065 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:05 UTC - 192.168.2.10:1066 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:05 UTC - 192.168.2.10:1066 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:05 UTC - 192.168.2.10:1067 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:05 UTC - 192.168.2.10:1067 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:06 UTC - 192.168.2.10:1068 -> 95.215.60.69:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-06 19:07:06 UTC - 192.168.2.10:1068 -> 95.215.60.69:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-06 19:07:08 UTC - 95.215.60.69:80 -> 192.168.2.10:1071 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014

2015-03-05 - payingdays.net

Network Traffic:
2015-03-05 19:38:11 UTC - 31.3.242.101 - payingdays.net - Malicious Domain / Redirector
2015-03-05 19:38:27 UTC - 95.215.60.68 - ff.9e155ed.25ed.710.9683e.0b.ffe5d93.b6.ze46v5aetp.comparingcup.in - Magnitude EK Landing Page
2015-03-05 19:38:54 UTC - 95.215.60.68 - 95.215.60.68 - Malware Download
2015-03-05 19:38:59 UTC - 37.221.161.69 - filemade.com - Post-Infection Traffic (CryptoWall 3.0)
2015-03-05 19:39:05 UTC - 217.23.6.131 - report.93u79i1793qgm31ws3e.com - Post-Infection (Simda.C)
2015-03-05 19:39:05 UTC - 94.242.253.106 - update2.ott3m4lh7.com - Post-Infection (Simda.C)

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7
2015-03-05 19:38:27 UTC - 95.215.60.68:80 -> 192.168.33.10:1040 - ETPRO CURRENT EVENTS DRIVEBY Magnitude Landing Dec 03 2014
2015-03-05 19:38:28 UTC - 192.168.33.10:1041 -> 95.215.60.68:80 - ET CURRENT EVENTS Magnitude Flash Exploit (IE)
2015-03-05 19:38:28 UTC - 95.215.60.68:80 -> 192.168.33.10:1042 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014
2015-03-05 19:38:54 UTC - 192.168.33.10:1044 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:38:54 UTC - 192.168.33.10:1044 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:38:55 UTC - 95.215.60.68:80 -> 192.168.33.10:1044 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-05 19:38:56 UTC - 192.168.33.10:1045 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:38:56 UTC - 192.168.33.10:1045 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:38:57 UTC - 192.168.33.10:1046 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:38:57 UTC - 192.168.33.10:1046 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:38:57 UTC - 95.215.60.68:80 -> 192.168.33.10:1046 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-05 19:38:58 UTC - 192.168.33.10:1047 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:38:58 UTC - 192.168.33.10:1047 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:38:59 UTC - 95.215.60.68:80 -> 192.168.33.10:1047 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-05 19:38:59 UTC - 192.168.33.10:1049 -> 37.221.161.69:80 - ET TROJAN CryptoWall Check-in
2015-03-05 19:39:00 UTC - 192.168.33.10:1050 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:39:00 UTC - 192.168.33.10:1050 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:39:01 UTC - 192.168.33.10:1051 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:39:01 UTC - 192.168.33.10:1051 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:39:01 UTC - 192.168.33.10:1052 -> 95.215.60.68:80 - ET CURRENT EVENTS Possible Magnitude IE EK Payload Nov 8 2013
2015-03-05 19:39:01 UTC - 192.168.33.10:1052 -> 95.215.60.68:80 - ET CURRENT EVENTS NeoSploit - TDS
2015-03-05 19:39:01 UTC - 95.215.60.68:80 -> 192.168.33.10:1052 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
2015-03-05 19:39:03 UTC - 192.168.33.10:1053 -> 37.221.161.69:80 - ET TROJAN CryptoWall Check-in
2015-03-05 19:39:05 UTC - 192.168.33.10:1054 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:05 UTC - 192.168.33.10:1056 -> 94.242.253.106:80 - ETPRO TROJAN Backdoor.Win32.Simda.abpn Checkin
2015-03-05 19:39:05 UTC - 192.168.33.10:1057 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:06 UTC - 192.168.33.10:1058 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:06 UTC - 192.168.33.10:1059 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:06 UTC - 192.168.33.10:1060 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:06 UTC - 192.168.33.10:1061 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:07 UTC - 192.168.33.10:1062 -> 37.221.161.69:80 - ET TROJAN CryptoWall Check-in
2015-03-05 19:39:11 UTC - 192.168.33.10:1063 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:15 UTC - 192.168.33.10:1064 -> 37.221.161.69:80 - ET TROJAN CryptoWall Check-in
2015-03-05 19:39:22 UTC - 192.168.33.10:1066 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:32 UTC - 192.168.33.10:1068 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:32 UTC - 192.168.33.10:1069 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:32 UTC - 192.168.33.10:1070 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:32 UTC - 192.168.33.10:1071 -> 217.23.6.131:80 - ET TROJAN Simda.C Checkin
2015-03-05 19:39:34 UTC - 95.215.60.68:80 -> 192.168.33.10:1076 - ETPRO CURRENT EVENTS DRIVEBY Magnitude IE Exploit Dec 03 2014

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates