2014-10-03 - SWEET ORANGE EK FROM 8.28.175.74 - B.EPAVERS.COM:17767 & K.EPAVERS.COM:17767

ASSOCIATED FILES:

 

NOTES:

 

RECENT ACTIVITY I'VE DOCUMENTED FROM THIS ACTOR:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-03-Sweet-Orange-EK-flash-exploit.swf
File size:  5.1 KB ( 5183 bytes )
MD5 hash:  57d96870afc27ab4979da17b7bfbe4b3
Detection ratio:  3 / 55
First submission:  2014-09-24 19:13:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0be459401a83ee1ad588e744d14bda20a557bf908cd3e3866cec25e3821ee86d/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-03-Sweet-Orange-EK-malware-payload.exe
File size:  282.9 KB ( 289664 bytes )
MD5 hash:  0c7078a2e4f181feffec2808f6812e3f
Detection ratio:  12 / 55
First submission:  2014-10-02 21:56:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c5f37fec06826a04f1ce9bd5b916dd221800f5a17531aaba4705e771ac4eea8/analysis/
Malwr link:  https://malwr.com/analysis/YzIyNWEzMzAyNTlhNDMwZGEwNTY5NzQ2MTc4Y2U4ZWI/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious code in javascript from compromised website:

 

Redirect (gate) pointing to Sweek Orange EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.