2015-02-23 - SWEET ORANGE EK FROM 95.183.8.177 - H.ROCKYHILLREALTOR.COM:8085

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

INFECTION TRAFFIC:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

 

Notable signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-02-23-Sweet-Orange-EK-flash-exploit.swf
File size:  8.1 KB ( 8272 bytes )
MD5 hash:  270533e84d9dc5b978699892d37313d3
Detection ratio:  1 / 56
First submission:  2015-02-17 08:08:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e45ccf263a43971cb2a6d86271d0773ad997a387ffbc1dab4b3bfa8f952e561/analysis/

 

MALWARE PAYLOAD:

File name:  2015-02-23-Sweet-Orange-EK-malware-payload.exe
File size:  243.0 KB ( 248880 bytes )
MD5 hash:  616f8966d03a3a6f00891d40a17b00c5
Detection ratio:  25 / 57
First submission:  2015-02-23 00:05:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d2025e0d2adb28d51debe5f64387bf238503434dc76c9666e3c09fbc0c6951f2/analysis/
Malwr link:  https://malwr.com/analysis/Y2Q2ZWM5ZTMxOWE5NDk0YmJjZDEwNzAwNjhjODBhMzI/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.