2014-09-05 - SWEET ORANGE EK FROM 8.28.175.69 - NASHVILLE.LOCKMANENTERPRISES.NET:9290 & NATIONAL.LOCKMANENTERPRISES.ORG:9290

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ORIGINAL WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-05-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5156 bytes )
MD5 hash:  543632124be9b7488f53167db1cb197c
Detection ratio:  4 / 54
First submission:  2014-09-04 13:54:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fdaa4db0c66fe58c44dc66606c0db4271990bc3c5d6375d3b4476000cb22d6b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-05-Sweet-Orange-EK-malware-payload.exe
File size:  170.9 KB ( 174963 bytes )
MD5 hash:  470c1821d66be597a0426c704bfa0769
Detection ratio:  1 / 55
First submission:  2014-09-05 16:10:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/497ee10ac654ba43bd1a44652460bb3d132822e279ca75c8856aed08361629b7/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.