2014-01-26 - SWEET ORANGE EK USES MSIE EXPLOIT

ASSOCIATED FILES:

 

NOTES:

Sweet Orange is an exploit kit that's been around for a while.  I hadn't run across Sweet Orange in quite a while--well before I started doing this blog.  But that changed earlier today while I was looking through Scumware.org to find a compromised website and generate some infection traffic.  One of the websites I found infected a vulnerable host, and it generated some Sweet Orange EK events in the process.

Let's take a closer look at the infection traffic...

 

SNORT EVENTS

For this infection, Security Onion was monitoring a VM running Windows 7 SP1 with IE 8.  Here are the Snort events seen in Sguil:

 

INFECTION CHAIN OF EVENTS

 

ASSOCIATED DOMAINS AND IP ADDRESSES

Sweet Orange EK domain names: drydgetypess.us and likestwittersfoll.us
Sponsoring registrar:  Internet.bs Corp.
Registration date for both domains:  2014-01-23
IP address for both domains:  82.146.35.151
IP Location:  Belgium - ISPsystem CJSC
ASN:  Belgium AS29182 ISPSYSTEM-AS ISPsystem Autonomous System (registered Jun 23, 2003)
Resolve Host:  denisla20001.timhost.ru
Org-name:  CJSC Cloud
Address:  CJSC Cloud, Raduzhny, 32-34
Address:  PoBox2, Irkutsk, 664017
Country:  Russian Federation

 

Callback domain names:  likestwittersfoll.us and clocksflowers.us
Sponsoring registrar:  Internet.bs Corp.
Registration date for likestwittersfoll.us:  2014-01-25
Registration date for clocksflowers.us:  2014-01-10
IP address for both domains:  198.50.198.182
IP Location:  Canada, Montreal - Private Customer
ASN:  Canada AS16276 OVH OVH Systems (registered Feb 15, 2001)
CustName:  Private Customer
Address:  Private Residence
City:  Vinnitsa
Country:  UA (Ukraine)

 

INFECTION TRAFFIC DETAILS

Traffic to the index page for www.bluelakechalet.co.nz has an iframe to the Sweet Orange domain:

 

This Sweet Orange domain on drydgetypess.us (82.146.35.151) sends the exploit:

 

The HTML is gzip compressed in Wireshark's TCP stream, so we'll have to extract it from the PCAP using:  File --> Export Object --> HTTP

I've posted the HTML to malwr.com, where you can go to Static Analysis tab and look at the Strings section to view the entire HTML file (here's the link).  Below is an image of the beginning of that page:

 

Here's the end of the page:

 

This is MSIE exploit CVE-2013-2551 under some obfuscation.  On a vulnerable host, it generates an HTTP GET request for malware from the same IP address (82.146.35.151) using a different domain name (likestwittersfoll.us):

 

POST-INFECTION CALLBACK TRAFFIC

After the initial malware, we see an HTTP POST as the infected host checks in with anonsinformstim.us (198.50.198.182):

 

After the infected host checked in with anonsinformstim.us, it called back for more malware.  Here's the HTTP GET request for more malware from clocksflowers.us (also on 198.50.198.182):

 

Here's the second HTTP GET reqeust for another piece of malware from clocksflowers.us:

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-01-26-malware-from-likestwittersfoll.us.exe
File size:  85.0 KB ( 87040 bytes )
MD5 hash:  106009e42576b66c2a6fe05a9d4de959
VirusTotal link:  https://www.virustotal.com/en/file/98c79dd4b0aa4f8e41504c74295a2269eb9bed8043b39f83d1c279d5b3d55db9/analysis/
Detection ratio:  9 / 50
First submission:  2014-01-26 02:24:49 GMT
Malwr Link:  https://malwr.com/analysis/YjhmYmFjMzAzMjdlNDJhYzlhYzIyNTU3NGI0MzBkMGU/

 

File name:  2014-01-26-malware-from-clocksflowers.us-01.exe
File size:  96.5 KB ( 98790 bytes )
MD5 hash:  713771623ac895731893c9a3ca4d3150
VirusTotal link:  https://www.virustotal.com/en/file/72228871d171164f212a2a652a833cf4433b9b31ec2c9cd6138eede460694017/analysis/
Detection ratio:  25 / 50
First submission:  2014-01-26 02:25:15 GMT
Malwr Link:  https://malwr.com/analysis/OTAyNzk4Y2MwN2U5NGFmOGE2OGJjY2IxZDA2YWI2ODk/

 

File name:  2014-01-26-malware-from-clocksflowers.us-02.exe
File size:  522.0 KB ( 534544 bytes )
MD5 hash:  d2aaa839f8a8861f7a214ea97540c57d
VirusTotal link:  https://www.virustotal.com/en/file/b193f8e95a02b40a688a7ad23fee4dbc97d8b49b567eefce08658d1ce292ae21/analysis/
Detection ratio:  5 / 49
First submission:  2014-01-26 02:25:41 GMT
Malwr Link:  https://malwr.com/analysis/OWM5MzRjMjJkZjY1NDI1NGJlMTc1NDNmZmFhMjI1ODY/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.