2014-08-20 - SWEET ORANGE EK FROM 95.163.121.188 - CDN.SEEFOO.CO:16122 AND CDN3.SEEFOO.NET:16122

ASSOCIATED FILES:

 

NOTES:

 

PREVIOUS BLOG ENTRIES ON SWEET ORANGE EK:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD:

File name:  2014-08-20-Sweet-Orange-EK-malware-payload.exe
File size:  240.0 KB ( 245760 bytes )
MD5 hash:  79f3ce6a26e9d0b559f0218ef55abf25
Detection ratio:  15 / 53
First submission:  2014-08-20 17:52:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e75f0c6016c79fce9bc300ae37696d1cde01eb5f273e4d4098b1569a36eab36/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website (the second highlighted portion shows the redirect URL, partially obfuscated using hex encoding):

 

Redirect pointing to Sweet Orange EK landing page:

 

Sweet Orange EK landing page with what I assume is the CVE-2013-2551 MSIE exploit, obfuscated (full text is included in the malware zip file):

 

Sweet Orange EK delivering the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.