2014-09-19 - SWEET ORANGE EK - 8.28.175.67 - CDN2.SWEETGEORGICAS.NET:17982 - CDN5.SWEETGEORGICAS.COM:17982

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

NOTE: All the above HTTP GET requests for .jar files returned 404 Not Found.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-19-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5124 bytes )
MD5 hash:  2454c2e94203dd38be837d142646498c
Detection ratio:  3 / 55
First submission:  2014-09-18 19:55:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f91c4de7271407636f9141ca69dd124581e2d670da8a50ea0a70e634fc6e301a/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-19-Sweet-Orange-EK-malware-payload.exe
File size:  242.9 KB ( 248704 bytes )
MD5 hash:  e78c7bf60a522b1ab58853375dad1161
Detection ratio:  6 / 53
First submission:  2014-09-19 23:33:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9bd85d308b09a561f278afe1bda968784bf7d96f31c1f64f3e6e91ac1551e1d1/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious code in javascript from compromised website:

 

From one of the strings highighted above, here's how it trasnlates to the next step in the infection chain:

 

The Sweet Orange CDN gate, and how it translates to the next step in the infection chain (pointing to the Sweet Orange EK landing page):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.