2014-10-27 - SWEET ORANGE EK FROM 38.84.134.199 - A.PAVERSSEARCH.COM:51439 & K.RETAININGWALLINC.COM:51439

ASSOCIATED FILES:

 

NOTES:

 

RECENT ACTIVITY I'VE DOCUMENTED FROM THIS ACTOR:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

SWEET ORANGE EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-27-Sweet-Orange-EK-flash-exploit.swf
File size:  4.6 KB ( 4676 bytes )
MD5 hash:  6d5591ef4d3ddb1c0b47d52a58e36036
Detection ratio:  0 / 53
First submission:  2014-10-28 00:35:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9c5d7c0a2c1e9accfe4d22dfb3e08daa6b9dc933cb9a4c944357bf0be7c7485c/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-27-Sweet-Orange-EK-malware-payload.exe
File size:  283.9 KB ( 290688 bytes )
MD5 hash:  a55bcf2921b05d06dfaafdaf0ca7902b
Detection ratio:  6 / 53
First submission:  2014-10-27 17:35:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/07d4adb40183a4d7826d4efa267bf6b3db6fac83f50d14fa9c5c3bb1c53567da/analysis/
Malwr.com link:  https://malwr.com/analysis/NWRlOTRiYmZiMzA5NGRiYWIxYjU2Yzg0YTBkMzg2ZmE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious, partially obfuscated script in .js file from compromised website:

 

Redirect/gate pointing to Sweet Orange EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.