2014-09-25 - SWEET ORANGE EK - 8.28.175.67 - CDN.AMERICASRAPPER.COM:10016 - CDN5.BLUMAXMATERIAL.COM:10016

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FIRST RUN - COMPROMISED WEBSITE AND REDIRECT CHAIN:

FIRST RUN - SWEET ORANGE EK:

 

SECOND RUN - COMPROMISED WEBSITE AND REDIRECT CHAIN:

SECOND RUN - SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT 1 OF 2

File name:  2014-09-25-Sweet-Orange-EK-java-exploit-1-of-2.jar
File size:  46.2 KB ( 47354 bytes )
MD5 hash:  62d5d60888665de3026a3f509c1b7fa2
Detection ratio:  2 / 55
First submission:  2014-09-26 13:02:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f7fee0ec0f7edd204d28521739b2f1976625aea1517ba2ed05cb3708df327b7a/analysis/

 

JAVA EXPLOIT 2 OF 2

File name:  2014-09-25-Sweet-Orange-EK-java-exploit-2-of-2.jar
File size:  46.5 KB ( 47625 bytes )
MD5 hash:  9558bb2d674ec23a16d8739952e26f57
Detection ratio:  2 / 55
First submission:  2014-09-26 13:02:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/caee03cc15a21c76c5b396560c76b9779e535857982b7f305eca33391d008250/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-25-Sweet-Orange-EK-malware-payload.exe
File size:  274.9 KB ( 281472 bytes )
MD5 hash:  9760ee7192477d991b0cf8b6a25856a7
Detection ratio:  11 / 55
First submission:  2014-09-25 15:30:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dc65a1a9c2bb3752f84b29f5dd21b2a08c2b052b3af77ea22c203cb21818c166/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious script served from compromised website:

 

Gate pointing to Sweet Orange EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.