2014-09-11 - SWEET ORANGE EK FROM 87.118.126.94 - OREGON.RAPTORTEK.COM:9290 & ORGANIZER.SUSIE-QS.COM:9290

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-11-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5155 bytes )
MD5 hash:  7a7f7788b4a74ab85b6ea5cdd2abd2cf
Detection ratio:  3 / 55
First submission:  2014-09-10 19:12:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5a1d27a10a6239f445dbac9be66833b9487332ffc9fcd6b9da595e8dd46ad5a1/analysis/

 

MALWARE PAYLOAD (ZEMOT):

File name:  2014-09-11-Sweet-Orange-EK-malware-payload.exe
File size:  150.9 KB ( 154483 bytes )
MD5 hash:  e21dbc4c7bc36d0b8323b0b0fccd34b0
Detection ratio:  3 / 53
First submission:  2014-09-11 15:52:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8859af309f72c8f5603c0eaabca4a0607fa9bc4d8fc3f216f7282a0d4d34a46b/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Mavlertising pattern previously associated with Nuclear EK (pointing instead to a Sweet Orange EK redirect):

 

Redirect pointing to Sweet Orange EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.