2015-01-12 - SWEET ORANGE EK FROM 185.16.40.228 - FGTKMCBY02.EU:9633 & REUIFHEIR.COM:9633

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

INITIAL WEBSITE, MALICIOUS JAVASCRIPT, AND REDIRECT:

 

SWEET ORANGE EK:

 

POST-INFECTION TRAFFIC CAUSED BY SWEET ORANGE MALWARE PAYLOAD:

 

NOTE:  Malwr.com analyis of the malware payload (link) includes HTTP GET requests for EXE files from wireandwoods.ru.  I only saw DNS queries for this domain from my infected VM.  The following additional HTTP GET requests can be found in the Malwr.com pcap:

 

SOME OF THE POST-INFECTION TRAFFIC CAUSED BY PROXY.EXE:

 

SOME OF THE POST-INFECTION TRAFFIC CAUSED BY INSTALL.EXE:

 

SNORT EVENTS

Significant events from the Emerging Threats and ETPRO rulesets using Suricata on Security Onion:

 

Significant events from the Talos (VRT) ruleset using Snort 2.9.7.0 on Security Onion:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2015-01-12-Sweet-Orange-EK-flash-exploit.swf
File size:  4.7 KB ( 4813 bytes )
MD5 hash:  bfdf09203ee472cf5c1b3c44d7791255
Detection ratio:  1 / 56
First submission:  2014-12-23 13:17:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/934bad8987d79418789bb89291c5972de26cfd0a3335ef507f99691d8d98aabd/

 

MALWARE PAYLOAD

File name:  2015-01-12-Sweet-Orange-EK-malware-payload.exe
File size:  196.0 KB ( 200704 bytes )
MD5 hash:  3188e67a5e7d263534234b4a3acf8a5c
Detection ratio:  7 / 56
First submission:  2015-01-12 16:11:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9952fc15929eee1ef2c21cc1aaf6a5f5041ce8e65e01fbe614d9709c7a155bc8/analysis/
Malwr link:  https://malwr.com/analysis/ZDRiODUxMjlhNDVjNDA1MjgxZTY1YWZiMDQzODdlMDU/

 

FOLLOW-UP MALWARE 1 OF 2:

File name:  proxy.exe
File size:  363.5 KB ( 372224 bytes )
MD5 hash:  93ce8b89eb0c13f807bb3e3cd302ed21
Detection ratio:  2 / 54
First submission:  2015-01-12 16:26:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a530aa5c6d8ff62743d719e71762f35d98dca90bfd025cfaca26bc961b94b155/analysis/
Malwr link:  https://malwr.com/analysis/MzEwZDVjNzIxOGYyNDczNjgxMWNjNzgxNDM3MGJmM2E/

 

FOLLOW-UP MALWARE 2 OF 2:

File name:  install.exe
File size:  1.4 MB ( 1436672 bytes )
MD5 hash:  f603e386508e6ba404646f2dd9adf813
Detection ratio:  7 / 56
First submission:  2015-01-12 16:27:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b1fadc9b57cfd450c5db23cc1d89cd7fac7a3c75a5b3285c46d62057034bef34/analysis/
Malwr link:  [submission hung and would not finish]

 

TWO ADDITIONAL EXECUTABLES EXTRACTED FROM THE MALWR.COM PCAP:

iflasher22.exe - https://www.virustotal.com/en/file/45d5f6aacbe59a7dd3e1b2b6ae029285cff8c276e5304de39d906bbb7a9c3708/analysis/
042.exe - https://www.virustotal.com/en/file/9a29fee16cf1382f9f650a8a29a34f5968079c91b59865b17cec02123af6fe70/analysis/

 

CHAIN OF EVENTS LEADING TO THE EXPLOIT KIT

Malicious script from initial website:

 

Malicious iframe from second domain in the infection chain:

 

302 Redirect pointing to Sweet Orange EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.