2014-05-21 - SWEET ORANGE EK FROM 93.171.173.173 - ADV.BEACHRENTAL.HOUSE:13014 AND ADV.CATSKILLS.HOUSE:13014

ASSOCIATED FILES:

PREVIOUS SWEET ORANGE EK POSTED ON THIS BLOG:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

SWEET ORANGE EK:

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-21-Sweet-Orange-EK-flash-exploit.swf
File size:  9.1 KB ( 9310 bytes )
MD5 hash:  fb92aa02ac21305d6a1a92aba10d6f87
Detection ratio:  0 / 53
First submission:  2014-05-21 06:42:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e6d218c2ec9b2d2ba44168ae823bacf199a9516a9033ff72f34f5a06bf2f89b0/analysis/

 

SNORT EVENTS

No events were triggered.  Why?  Because the EK used port 13014--a non-standard port for HTTP.

In Security Onion, you can change the port and replay the PCAP with the following commands:

tcprewrite --portmap=13014:80 --infile=filename.pcap --outfile=newfilename.pcap
sudo tcpreplay --intf1=eth0 newfilename.pcap

The EK traffic now generates the following alerts:

 

HIGHLIGHTS FROM THE TRAFFIC

One of the javascript files from the compromised website has some malicious code:

Highighted in yellow above:

 

cdn.buyorselltnhomes.com provides the jquery_datepicker variable.  The image below shows how to find the next step in the infection chain:

 

Swee Orange EK delivers the Flash exploit:

 

HTTP GET request for the EXE payload returns a 502 Bad Gateway response:

 

One of the HTTP GET requests for a Java exploit...  These also return a 502 Bad Gateway response:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.