2014-07-24 - SWEET ORANGE EK FROM 94.185.82.194 port 16122 - CDN.ABISTRA.CO - CDN.GEORGICAPARTNERS.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

NOTE: The HTTP GETrequests for .jar files all returned 404 not found.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT (CVE-2014-0515)

File name:  2014-07-24-Sweet-Orange-EK-flash-exploit.swf
File size:  4.2 KB ( 4282 bytes )
MD5 hash:  612103976c2466d44cff4344d55464d1
Detection ratio:  1 / 53
First submission:  2014-07-24 15:06:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f2f98d71de6f182b574958d7a5cc31f505e76a7d49efa5abf8091d3769e0abb/analysis/

 

MALWARE PAYLOAD

File name:  2014-07-24-Sweet-Orange-EK-malware-payload.exe
File size:  252.0 KB ( 258048 bytes )
MD5 hash:  c6f1689e36afd1e67dd0acdae5498f32
Detection ratio:  10 / 53
First submission:  2014-07-24 14:08:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/76d08c42a4c4d653b77ce9fa5aeb7a0ef496afdd40f703e250d7e5d7739794cb/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript from compromised website:

 

Redirect using var jquery_datepicker (something I've documented before with Sweet Orange EK traffic):

 

Sweet Orange EK delivers CVE-2014-0515 Flash exploit:

 

EXE payload sent after successful Flash exploit:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.