2014-10-06 - SWEET ORANGE EK - 8.28.175.75 - RAY.WHYDOESMYEYETWITCH.NET:15106 - ASQUALITY.BASTIONWRIGHT.COM:15106

SOCIATED FILES:

 

NOTES:

 

THREATGLASS LINKS TO THE SAME TYPE OF SWEET ORANGE TRAFFIC:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ORIGINAL WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

POST-INFECTION TRAFFIC:

 

CLICK-FRAUD TRAFFIC BEGINS:

 

ANGLER EK GENERATED FROM POST-INFECTION CLICK-FRAUD:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-06-Sweet-Orange-EK-flash-exploit.swf
File size:  5.1 KB ( 5191 bytes )
MD5 hash:  106384c232d6450c0db4690969e64972
Detection ratio:  2 / 55
First submission:  2014-10-06 23:08:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6a1f136498cee5a257fa1d2587ac510044f6cc39b6bac9571eb47f9728eda2d8/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-06-Sweet-Orange-EK-malware-payload.exe
File size:  226.0 KB ( 231424 bytes )
MD5 hash:  2639ebdd46ee8a651242e3c8476420dc
Detection ratio:  5 / 52
First submission:  2014-10-06 19:29:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c0ca9fcd9ed6b5853f5a6fa5e9156e17277bd3866a0b17f91e1c17c7d0d24ff/analysis/
Malwr link:  https://malwr.com/analysis/MjdmYjQzMTNmMWMxNDg3YTk3YzM1NzJhNTQ4YjMyNDE/

 

FOLLOW-UP MALWARE (RERDOM):

File name:  UpdateFlashPlayer_4caf296.exe
File size:  150.0 KB ( 153600 bytes )
MD5 hash:  d1e908c919218c779b33525e2f8c373f
Detection ratio:  3 / 55
First submission:  2014-10-06 23:08:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/91a5d11985b7a0850ecef9dfe2a47cec19131bfef1c3b33009c4697f02ec0bf1/analysis/
Malwr link:  https://malwr.com/analysis/OTU1YmFkMGIxYzUyNDc2ZDgzYjU1NDZkY2I1NGFhZWU/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events and several other rules generated during the post-infection click-fraud traffic):

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded script from network-tools.com that generates the ad traffic:

 

Malicious script from the ad traffic that generates the redirect:

 

A similar type of malicious script from the redirect generates the Sweet Orange EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.