2014-09-04 - SWEET ORANGE EK FROM 38.84.134.208 - CDN.LIVISTRO.COM:17982  &  CDN5.MARCHEPOULET.COM:17982

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

NOTE: All requests for the .jar files returned: 502 Bad Gateway

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT - CVE-2014-0515:

File name:  2014-09-04-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5156 bytes )
MD5 hash:  543632124be9b7488f53167db1cb197c
Detection ratio:  2 / 55
First submission:  2014-09-04 13:54:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fdaa4db0c66fe58c44dc66606c0db4271990bc3c5d6375d3b4476000cb22d6b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-04-Sweet-Orange-EK-malware-payload.exe
File size:  256.0 KB ( 262144 bytes )
MD5 hash:  ccc315550bc34b35c1b87fc4934952ba
Detection ratio:  31 / 52
First submission:  2014-09-02 09:23:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a3214d74f0a7cd021627e05abeb6bca15ad4e4a46b0dc60d35ad17414a3a76f7/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including INFO, POLICY or WEB_CLIENT rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

From the compromised website: malicious javascript containing the jquery_datepicker function and obfurscated URL for the redirect:

From the malicious javascript, take this string:  \u0068ttp:\u002f\u002f\u0063dn.stringbas\u0073\u006d\u0075\u0073ic.\u0063o\u006d\u002fk?t\u003d

Remove the "\u00" to better see the hexadecimal:  68ttp:2f2f63dn.stringbas736d7573ic.63o6d2fk?t3d

Translate the hexadecimal to ASCII, and the string is:  cdn.stringbassmusic.com/k?t=

 

Redirect pointing to Sweet Orange EK:

Uncompressed text:

var jquery_datepicker='K.n6U8;7K4v;7P4X=i70$Q3a$k2fP@2fN=r63;o64-H6He.2eH;l6hcR@o6Y9.I7P6@R6G9w-n7i3k-74M,72W;w6Yfl-2pej@6S3.6f@v6ud=i3aT!3k1=3o7,3N9J-38,32X@2tf@v70y;V7o2r@6fG-78O$x79,M2f!63J!v70=6P1=6e-65@6Rck@V2fi$73Q;7S4h@6P1N=N72$67,6s1$6cz!6U1u$7o8;79;Z2eO$I70K;j68T$j7t0-3fp@6eu;q6j5@62.7u5R,6c.61k,m3dS.i3o3';

Extract the hexadecimal from the jquery_datepicker variable:

68 74 74 70 3a 2f 2f 63 64 6e 2e 6c 69 76 69 73 74 72 6f 2e 63 6f 6d 3a 31 37 39 38 32 2f 70 72 6f 78 79 2f 63 70 61 6e 65 6c 2f 73 74 61 72 67 61 6c 61 78 79 2e 70 68 70 3f 6e 65 62 75 6c 61 3d 33

Convert the hexadecimal to ASCII, which translates to the Sweet Orange EK landing page:

http://cdn.livistro.com:17982/proxy/cpanel/stargalaxy.php?nebula=3

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.