2014-07-08 - SWEET ORANGE EK FROM 94.185.82.199 PORT 16122 - CDN.AHASTORE.NET:16122

PCAP AND MALWARE:

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT CHAIN:

SWEET ORANGE EK:

NOTE: The GET requests for .jar files all returned a "404 Not Found" response.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-07-08-Sweet-Orange-EK-flash-exploit.swf
File size:  4.2 KB ( 4344 bytes )
MD5 hash:  5becfc90fed8bc85cda46468e264f818
Detection ratio:  1 / 44
First submission:  2014-07-08 03:40:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1cf9e9c36fe1a6afebad5c0319a70bd93db6506d5c04ebc46281a72643cc9490/analysis/

 

MALWARE PAYLOAD

File name:  2014-07-08-Sweet-Orange-EK-malware-payload.exe
File size:  252.0 KB ( 258048 bytes )
MD5 hash:  063222dc6d73da57da5180334be0efa5
Detection ratio:  14 / 53
First submission:  2014-07-07 13:30:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6fb0ae0acec0bbdf1a0fe32bf9df850927c8f1a7b08dff316759b86cf0c3490b/analysis/
Malwr link:  https://malwr.com/analysis/MzE0ZWUyZmZiZDYyNDE0Mjk2NWEyMDNjYTliMTVkYTQ/

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript from compromised website:

 

Redirect:

 

Sweet Orange EK landing page:

 

Sweet EK delivers CVE-2014-0515 Flash exploit:

 

EXE payload sent after successful Flash exploit:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.