2014-08-27 - SWEET ORANGE EK FROM 95.163.121.188 - CDN.TEQUILASPECTATOR.COM:16122

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-08-27-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5111 bytes )
MD5 hash:  a6ef2e19611f346b7dfdf1c6e1473fdd
Detection ratio:  1 / 54
First submission:  2014-08-26 20:54:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c3b66c5001ef5be105abbd52e3bd98453b21bc83c6615862ad79fad7a6039faf/analysis/

 

MALWARE PAYLOAD

File name:  2014-08-27-Sweet-Orange-EK-malware-payload.exe
File size:  288.0 KB ( 294912 bytes )
MD5 hash:  ce886d3f1b3f6360e53cfeb000b39a30
Detection ratio:  10 / 55
First submission:  2014-08-26 19:42:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fe0139caf70e46b502760c3c6c4fe0d123a20027814225982a9697e82754a204/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious script in .js file retrieved from compromised website:

 

Redirect pointing to Sweet Orange EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.