2014-08-18 - SWEET ORANGE EK FROM 95.163.121.188 - GOOGLE.CHAGWICHITA.COM:16122

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN - FIRST RUN:

 

SWEEK ORANGE EK FIRST RUN - INFECTION THROUGH FLASH EXPLOIT:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN - SECOND RUN:

 

SWEEK ORANGE EK SECOND RUN - INFECTION THROUGH JAVA EXPLOIT:

NOTE:  The second run malware payload was sent twice in the same encrypted stream.  The HTTP header shows 688,152 bytes returned through the java exploit:

 

The user's AppData\Local\Temp directory shows two files of the same size (both have the same file hash):

 

Each file is 344,064 bytes.  Together, they equal 688,128 bytes--nearly the same size as the encrypted payload stream.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT - CVE-2014-0515

File name:  2014-08-18-Sweet-Orange-EK-flash-exploit.swf
File size:  4.9 KB ( 4993 bytes )
MD5 hash:  64c0bc0e756d57a8e73469024a214aae
Detection ratio:  1 / 53
First submission:  2014-08-18 20:59:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d4e9252767437a0cfed03cd0ecafaaaf56d9aee69ed116872b844df2b30931e5/analysis/

 

FIRST JAVA EXPLOIT

File name:  2014-08-18-Sweet-Orange-EK-java-exploit-01.jar
File size:  33.9 KB ( 34716 bytes )
MD5 hash:  9848d33f38a1880a72e45d1f83cc14d9
Detection ratio:  2 / 53
First submission:  2014-08-18 20:59:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9415f943f834e2fdbe34dba1bae8b64a68aa3f506161ed64e23d115265a45668/analysis/

 

SECOND JAVA EXPLOIT:

File name:  2014-08-18-Sweet-Orange-EK-java-exploit-02.jar
File size:  32.9 KB ( 33727 bytes )
MD5 hash:  77ed1969073f58ce265479a2d23d9bc5
Detection ratio:  3 / 53
First submission:  2014-08-17 12:11:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d66e33c2423af16c057c83a31d5013b796d0e19797313501013b3ce44f90f5a/analysis/

 

MALWARE PAYLOAD (FIRST AND SECOND RUN):

File name:  2014-08-18-Sweet-Orange-EK-malware-payload.exe
File size:  336.0 KB ( 344064 bytes )
MD5 hash:  20690c84939b1cecf3b6ff710d555977
Detection ratio:  17 / 53
First submission:  2014-08-18 20:59:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e4a074dddd63e629d799e5dc148dfa7ae141526f30b75d867f64571b92adb7a5/analysis/

 

SNORT EVENTS - FIRST RUN

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SNORT EVENTS - SECOND RUN

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Here's the malicious javascript from the compromised website.  Two portions are highlighted.  First is the jquery_datepicker function, which has been documented several times in recent write-ups I've done for Sweet Orange EK.  The second is src="\x68t\x74p://sr\x63\x33\x2e20\x314ope\x6ere\x6e\x74\x61ls\x2e\x63om/\x6b?t=" which translates to: src="http://src3.2014openrentals.com/k?t="

 

Here's the recirect calling the jquery_datepicker function on a long string.  Take away everything but 0 through 9 and a through f, and you get hexadecimal that translates to the Sweet Orange EK landing page.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.