2014-11-18 - VOLUMEBASS.COM KICKED OFF INFECTION CHAIN FOR SWEET ORANGE EK

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS FROM THREATGLASS PCAP

COMPROMISED WEBSITE AND REDIRECT:

 

SWEET ORANGE EK:

 

POST-INFECTION TRAFFIC:

 

CHAIN OF EVENTS FROM MY INFECTED VM

COMPROMISED WEBSITE AND REDIRECT:

 

SWEET ORANGE EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT FROM MY INFECTED VM:

File name:  2014-11-18-Sweet-Orange-EK-flash-exploit.swf
File size:  4.7 KB ( 4771 bytes )
MD5 hash:  d36ce9a53ca1f1ba8179d69ad3cdcc44
Detection ratio:  1 / 55
First submission:  2014-11-14 17:36:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b04f3e1f653467ac84cecea55c5f95d9923afafb22fa6ab9185b9d8c072bd9ed/analysis/

 

MALWARE PAYLOAD FROM MY INFECTED VM:

File name:  2014-11-18-Sweet-Orange-EK-malware-payload.exe
File size:  202.6 KB ( 207464 bytes )
MD5 hash:  f0ea771d1c7db585b2dd2199a1ae6f55
Detection ratio:  1 / 55
First submission:  2014-11-18 16:32:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3a4cb09425337bf43f939a1d8a458dfe47e73837099f6d718043fee7c36e9770/analysis/
Malwr.com link:  https://malwr.com/analysis/MzUxNjFiNzMyMTkwNDhmZGI2YjBjNmRmYjc5ZTlkMDA/

 

MALWARE PAYLOAD FROM THE THREATGLASS PCAP:

File name:  2014-11-18-Sweet-Orange-EK-malware-payload-from-threatglass-pcap.exe
File size:  213.8 KB ( 218936 bytes )
MD5 hash:  85ed7d9d44696b2d896df01b76a85500
Detection ratio:  18 / 53
First submission:  2014-11-18 00:38:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fadadd9ace9536d6bb10ead3cac4682702719b25ac8275600276236c0fbf18b9/analysis/
Malwr.com link:  https://malwr.com/analysis/ZGQyMTQ4YmNlOWJmNDUwNmJiNWZlNGE2M2IyNjNjOTY/

 

DROPPED MALWARE FROM MY INFECTED VM:

File name:  Reader.exe
File size:  2.8 MB ( 2885384 bytes )
MD5 hash:  0c719d0a3f085ef146de0bbf001a5f1b
Detection ratio:  1 / 55
First submission:  2014-11-18 16:35:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3e5880f446ae15161d73e40e8b6a8ad04c3b0bde1e454bdb5eea9865ce2df7d0/analysis/
Malwr.com link:  https://malwr.com/analysis/OWY5Y2QyMGE4MGI5NGZmYmI0ZDJlMDcwYWQ0ZTBmNzE/

 

SNORT EVENTS FROM THE INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including pre-processor events):

 

TRAFFIC HIGHLIGHTS FROM THE INFECTED VM

Script in page from compromised website:

 

Redirect pointing to the Sweet Orange EK landing page:

 

Sweet Orange EK landing page:

 

Sweet Orange EK delivers Flash exploit:

 

EXE payload sent after successful Flash exploit:

 

Follow-up malware delivered as a zip archive:

 

The infected host checks in after the follow-up malware is delivered:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.