2014-08-29 - SWEET ORANGE EK FROM 95.163.121.188 - CDN3.THECRITICO.COM:16122 & CDN5.THECRITICO.MX:16122

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

 

FIRST JAVA EXPLOIT:

File name:  2014-08-29-Sweet-Orange-EK-java-exploit-1-of-2.jar
File size:  39.9 KB ( 40860 bytes )
MD5 hash:  c9a5faa1787cadfaa47e42bbad6dc468
Detection ratio:  3 / 46
First submission:  2014-08-29 23:34:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0900f9b4876bc100aca58e30741ab11e53b9ab2162589cd040c53e62b3b4da00/analysis/

 

SECOND JAVA EXPLOIT:

File name:  2014-08-29-Sweet-Orange-EK-java-exploit-2-of-2.jar
File size:  41.9 KB ( 42875 bytes )
MD5 hash:  0ef5b870ad402c6eb2ccb6339500b03c
Detection ratio:  3 / 55
First submission:  2014-08-29 23:34:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6dfaf95db632294751f598f4cf0340197af5cff198a68bcd1983450c3102990d/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-29-Sweet-Orange-EK-malware-payload.exe
File size:  268.0 KB ( 274432 bytes )
MD5 hash:  e1c8faa1049f52c6d925c5183216fe7e
Detection ratio:  13 / 55
First submission:  2014-08-29 15:49:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4b2dfccc4c028dc36eed090cd7738f825e012c4e84fa5a09ee11ec4168b148f3/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious code in javascript from compromised website:

 

Redirect pointing to Sweet Orange EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.