2014-05-05 - SWEET ORANGE EK FROM 93.171.173.113 - 124124.TTL60.COM

ASSOCIATED FILES:

PREVIOUS SWEET ORANGE EK POSTED ON THIS BLOG:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEB SITE AND REDIRECTS:

SWEET ORANGE EXPLOIT KIT:

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-05-Sweet-Orange-EK-flash-exploit.swf
File size:  9.1 KB ( 9298 bytes )
MD5 hash:  acbe4b41daa37681d5c40872958032e1
Detection ratio:  0 / 52
First submission:  2014-05-05 08:04:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/01232e79e8e1263f81d0edd5531975e6019f5dff025bde6fb642285cee322685/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-05-Sweet-Orange-EK-malware-payload.exe
File size:  408.0 KB ( 417792 bytes )
MD5 hash:  f25eafce9aeee2d28798a16860de9700
Detection ratio:  3 / 51
First submission:  2014-05-05 08:04:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/49857af05d5b658fddbb753f720c6586719bff844e7e9103aa5f888cb8dd52c9/analysis/

Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: Msoft Windows
Value data: "C:\ProgramData\Msoft\xsljqlozd.exe"

 

FOLLOW-UP MALWARE (1 OF 2)

File name:  2014-05-05-post-infection-malware-from-clp.ie.exe
File size:  246.2 KB ( 252155 bytes )
MD5 hash:  9e134cffb4e5eedc822310deda9b9bc7
Detection ratio:  23 / 51
First submission:  2014-05-04 18:20:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/95088b6e3a1abc4d38a4346ee135751191342ff2e56b7ad88958efe1a377a905/analysis/

 

FOLLOW-UP MALWARE (2 OF 2)

File name:  2014-05-05-post-infection-malware-from.blessings-4u.com.exe
File size:  2.1 MB ( 2188288 bytes )
MD5 hash:  ccccaad9464bb31ad64b1caeb7ad3ba7
Detection ratio:  3 / 52
First submission:  2014-05-05 08:06:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3b91e31fdad6119b247798237ebdc515607f55c260acab8b61ad836df121eda2/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious, obfuscated javascript sent from the compromised website.  This is the same redirect seen on 2014-04-30.  That one led to pagerank.net.au which redirected to a fake Flash player page.  This one also led to pagerank.net.au and included another couple of redirects that eventually landed on Sweet Orange EK.

 

Final redirect to Sweet Orange EK:

 

Sweet Orange EK sends the Flash exploit:

 

The successful Flash exploit delivers an unencrypted malware payload:

 

After the payload was delivered, there were other requests for Java exploits (.JAR files), but those all returned a 502 Bad Gateway.

 

First post-infection callback traffic:

 

Two more HTTP GET requests for malware:

 

Here's an example of the traffic that triggered alerts for: ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.