History

Jan Vojtěšek 094ab53e4c added IoCs for Magnitude EK		2021-07-29 16:28:37 +02:00
..
README.md	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
cncs.txt	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
decoys.txt	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
excluded_folders.txt	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
extensions.txt	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
samples.md5	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
samples.sha1	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00
samples.sha256	added IoCs for Magnitude EK	2021-07-29 16:28:37 +02:00

README.md

IoC for Magnitude Exploit Kit

Malware analysis and more technical information at https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/

Samples (SHA-256)
Network indicators

Samples (SHA-256)

Redirection page

2cc3ece1163db8b467915f76b187c07e1eb0ca687c8f1efb9d278b8daadbe590
3da50b3752560932d9d123ef813a3b67f5d840fee38a18cc14d18d5dc369bce4
91dbcaa7833aef48fa67c55c26c9c142cb76c5530c0b2a3823c8f74cf52b73cc
db8cf1f5651a44b443a23bc239b4215dcfd0a935458f9d17cb511b2c33e0c3b9
ef15ee0511c2f9e29ecaf907f3ca0bb603f7ec57d320ba61b718c4078b864824

CVE-2021-26411

0306b0b79a85711605bbbfac62ac7d040a556aa7ac9fe58d22ea2e00d51b521a
419da91566a7b1e5720792409301fa772d9abf24dfc3ddde582888112f12937a
6a348a5b13335e453ac34b0ed87e37a153c76a5be528a4ef4b67e988aaf03533
4e80fa124865445719e66d917defd9c8ed3bd436162e3fbc180a12584d372442
217f21bd9d5e92263e3a903cfcea0e6a1d4c3643eed223007a4deb630c4aee26

Shellcode

5d0e45febd711f7564725ac84439b74d97b3f2bc27dbe5add5194f5cdbdbf623 (Win10 WoW64 variant)
351a2e8a4dc2e60d17208c9efb6ac87983853c83dae5543e22674a8fc5c05234 (^ unpacked)
4044008da4fc1d0eb4a0242b9632463a114b2129cedf9728d2d552e379c08037 (Win7 WoW64 variant)
1ea23d7456195e8674baa9bed2a2d94c7235d26a574adf7009c66d6ec9c994b3 (^ unpacked)
3de9d91962a043406b542523e11e58acb34363f2ebb1142d09adbab7861c8a63 (Win7 native variant)
dfa093364bf809f3146c2b8a5925f937cc41a99552ea3ca077dac0f389caa0da (^ unpacked)
e05a4b7b889cba453f02f2496cb7f3233099b385fe156cae9e89bc66d3c80a7f (newer Win7 WoW64 variant)
ae930317faf12307d3fb9a534fe977a5ef3256e62e58921cd4bf70e0c05bf88a (latest Win7 WoW64 variant)

CVE-2020-0986

440be2c75d55939c90fc3ef2d49ceeb66e2c762fd4133c935667b3b2c6fb8551 (pingback payload)
a5edae721568cdbd8d4818584ddc5a192e78c86345b4cdfb4dc2880b9634acab (pingback payload)
1505368c8f4b7bf718ebd9a44395cfa15657db97a0c13dcf47eb8cfb94e7528b (Magniber payload)
63525e19aad0aae1b95c3a357e96c93775d541e9db7d4635af5363d4e858a345 (Magniber payload)
31e99c8f68d340fd046a9f6c8984904331dc6a5aa4151608058ee3aabc7cc905 (Magniber payload)

Pointer scanner/loader 64-bit module

f8472b1385ed22897c99f413e7b87a05df8be05b270fd57a9b7dd27bed9a79a6
19f57a213e7828e5e32adf169e51e0d165ddf25a6851a726268e10273a8df8b8
b0b709a620509154bc6d7b4e66d0a7daa7fd8ce23d1e104d80128ea3d0bb54e7
d22d616255b3cceff0fbcaba98083f5fda8be951287fb1d1c207fd1887889b2f
7c1fc5dfb970f856abf48cc65bda4f102452216ad8b9f1fe9c7a66650d91959d

Magniber

a2448b93d7c50801056052fb429d04bcf94a478a0a012191d60e595fed63eec4
525f9dbf9a74390fd22779a68f191b099ee9b4d2e8095c57ac1c932629a8af56
3ae5cd106e3130748ef61d317022d7b6ab98a0811088cfc478d49375c352bf04
daf17fbf2bfcfaa2dafb6470a5da0054eb61ab5b44cd8cbbf22f8819f3c432db
fcd8f8647a1d5e08446a392cc6c69090c00714d681c4fa258656e12cd4f80c2e

README.md

IoC for Magnitude Exploit Kit

Table of Contents

Samples (SHA-256)

Redirection page

CVE-2021-26411

Shellcode

CVE-2020-0986

Pointer scanner/loader 64-bit module

Magniber

Network indicators

C&Cs

Decoy ad domains