2014-08-21 - SWEET ORANGE EK FROM 95.163.121.188 - CDN5.SEEFU.MOBI:16122 AND CDN3.SEFU.MOBI:16122

ASSOCIATED FILES:

 

NOTES:

 

PREVIOUS BLOG ENTRIES ON SWEET ORANGE EK:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD:

File name:  2014-08-21-Sweet-Orange-EK-malware-payload.exe
File size:  240.0 KB ( 245760 bytes )
MD5 hash:  6ca975773fb4bf9f29ef8ea84248637a
Detection ratio:  5 / 55
First submission:  2014-08-21 14:51:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/be6a38dd40d19cf52a3a471e580e273e8643841909bcf6b4fdd74112e3cc3d04/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website (the second highlighted portion shows the redirect URL, partially obfuscated using hex encoding):


htt\x70\x3a/\x2fsrc.s\x61\x6edcastle\x73m\x61g\x61z\x69n\x65.\x63o\x6d/k\x3f\x74=   translates to   http://src.sandcastlesmagazine.comk?t=

 

Redirect pointing to Sweet Orange EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.