2015-02-09 - SWEET ORANGE EK FROM 91.224.141.64 - H.USEDITEMS.CA:8085 - K.VIDIHUT.COM:8085

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

SWEET ORANGE EK:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-02-09-Sweet-Orange-EK-flash-exploit.swf
File size:  7.7 KB ( 7898 bytes )
MD5 hash:  44799212c6b13887d449ccd7b7082363
Detection ratio:  1 / 57
First submission:  2015-02-07 14:51:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c799e51127d87f8cbaefa24fc921070d8eb3aada80632b07cf353ec2f469ed10/analysis/

 

MALWARE PAYLOAD:

File name:  2015-02-09-Sweet-Orange-EK-malware-payload.exe
File size:  218.8 KB ( 224088 bytes )
MD5 hash:  2f9040decddf61127549062b158186bc
Detection ratio:  9 / 57
First submission:  2015-02-09 23:44:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c505dd8c9d803030c5bc9932d61b46c3477fa2d936dac4c18d1f6192b77ee379/analysis/
Malwr link:  https://malwr.com/analysis/N2MxMGQ5NjM1MjFlNDZmMDg5NjkzNTQxYWVlZmI5ZTY/

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from compromised website.  Obfuscated script shows the de-obfuscation method for the theme_customize variable and where it's located:

 

Redirect using the theme_customize variable, which points to the Sweet Orange EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.