2014-01-26 - SWEET ORANGE EK USES MSIE EXPLOIT

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-01-26-Sweet-Orange-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-01-26-Sweet-Orange-EK-malware.zip

 

NOTES:

Sweet Orange is an exploit kit that's been around for a while.  I hadn't run across Sweet Orange in quite a while--well before I started doing this blog.  But that changed earlier today while I was looking through Scumware.org to find a compromised website and generate some infection traffic.  One of the websites I found infected a vulnerable host, and it generated some Sweet Orange EK events in the process.

Let's take a closer look at the infection traffic...

 

SNORT EVENTS

For this infection, Security Onion was monitoring a VM running Windows 7 SP1 with IE 8.  Here are the Snort events seen in Sguil:

• 2014-01-26 01:05:29 GMT - 82.146.35.151 port 80 -> 192.168.204.163 port 49220 - ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013
• 2014-01-26 01:05:31 GMT - 192.168.204.163 port 49225 -> 82.146.35.151 port 80 - ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request
• 2014-01-26 01:05:31 GMT - 82.146.35.151 port 80 -> 192.168.204.163 port 49225 - ET POLICY PE EXE or DLL Windows file download
• 2014-01-26 01:05:34 GMT - 192.168.204.163 port 49228 -> 198.50.198.182 port 80 - ET TROJAN Fareit/Pony Downloader Checkin 2
• 2014-01-26 01:05:34 GMT - 192.168.204.163 port 49228 -> 198.50.198.182 port 80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
• 2014-01-26 01:05:34 GMT - 192.168.204.163 port 49228 -> 198.50.198.182 port 80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters
• 2014-01-26 01:05:35 GMT - 198.50.198.182 port 80 -> 192.168.204.163 port 49229 - ET POLICY PE EXE or DLL Windows file download
• 2014-01-26 01:05:35 GMT - 198.50.198.182 port 80 -> 192.168.204.163 port 49229 - ET INFO EXE - Served Attached HTTP

 

INFECTION CHAIN OF EVENTS

• 2014-01-26 01:05:27 GMT - 192.168.204.163 port 49219 - 113.20.9.49 port 80 - www.bluelakechalet.co.nz - GET /
• 2014-01-26 01:05:29 GMT - 192.168.204.163 port 49220 - 82.146.35.151 port 80 - drydgetypess.us - GET /src/siteindex.php?pages=21
• 2014-01-26 01:05:32 GMT - 192.168.204.163 port 49225 - 82.146.35.151 port 80 - likestwittersfoll.us - GET /cert.php?files=394&products=4&cart=155&firefox=171&sport=514&iraq=653&maps=750&game=55
• 2014-01-26 01:05:35 GMT - 192.168.204.163 port 49228 - 198.50.198.182 port 80 - anonsinformstim.us - POST /kweb/gate.php HTTP/1.0
• 2014-01-26 01:05:36 GMT - 192.168.204.163 port 49229 - 198.50.198.182 port 80 - clocksflowers.us - GET /kwb.php?id=1 HTTP/1.0
• 2014-01-26 01:05:37 GMT - 192.168.204.163 port 49230 - 198.50.198.182 port 80 - clocksflowers.us - GET /kwb.php?id=2 HTTP/1.0

 

ASSOCIATED DOMAINS AND IP ADDRESSES

Sweet Orange EK domain names: drydgetypess.us and likestwittersfoll.us
Sponsoring registrar:  Internet.bs Corp.
Registration date for both domains:  2014-01-23

IP address for both domains:  82.146.35.151
IP Location:  Belgium - ISPsystem CJSC
ASN:  Belgium AS29182 ISPSYSTEM-AS ISPsystem Autonomous System (registered Jun 23, 2003)
Resolve Host:  denisla20001.timhost.ru
Org-name:  CJSC Cloud
Address:  CJSC Cloud, Raduzhny, 32-34
Address:  PoBox2, Irkutsk, 664017
Country:  Russian Federation

 

Callback domain names:  likestwittersfoll.us and clocksflowers.us
Sponsoring registrar:  Internet.bs Corp.
Registration date for likestwittersfoll.us:  2014-01-25
Registration date for clocksflowers.us:  2014-01-10

IP address for both domains:  198.50.198.182
IP Location:  Canada, Montreal - Private Customer
ASN:  Canada AS16276 OVH OVH Systems (registered Feb 15, 2001)
CustName:  Private Customer
Address:  Private Residence
City:  Vinnitsa
Country:  UA (Ukraine)

 

INFECTION TRAFFIC DETAILS

Traffic to the index page for www.bluelakechalet.co.nz has an iframe to the Sweet Orange domain:

 

This Sweet Orange domain on drydgetypess.us (82.146.35.151) sends the exploit:

• ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013  (ET signature 2017817)
• ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request  (ET signature 2017706)

 

The HTML is gzip compressed in Wireshark's TCP stream, so we'll have to extract it from the PCAP using:  File --> Export Object --> HTTP

I've posted the HTML to malwr.com, where you can go to Static Analysis tab and look at the Strings section to view the entire HTML file (here's the link).  Below is an image of the beginning of that page:

 

Here's the end of the page:

 

This is MSIE exploit CVE-2013-2551 under some obfuscation.  On a vulnerable host, it generates an HTTP GET request for malware from the same IP address (82.146.35.151) using a different domain name (likestwittersfoll.us):

 

POST-INFECTION CALLBACK TRAFFIC

After the initial malware, we see an HTTP POST as the infected host checks in with anonsinformstim.us (198.50.198.182):

• ET TROJAN Fareit/Pony Downloader Checkin 2  (ET signature 2014411)
• ET TROJAN Trojan Generic - POST To gate.php with no referer  (ET signature 2017930)
• ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters  (ET signature 2016173")

 

After the infected host checked in with anonsinformstim.us, it called back for more malware.  Here's the HTTP GET request for more malware from clocksflowers.us (also on 198.50.198.182):

 

Here's the second HTTP GET reqeust for another piece of malware from clocksflowers.us:

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-01-26-malware-from-likestwittersfoll.us.exe
File size:  85.0 KB ( 87040 bytes )
MD5 hash:  106009e42576b66c2a6fe05a9d4de959
VirusTotal link:  https://www.virustotal.com/en/file/98c79dd4b0aa4f8e41504c74295a2269eb9bed8043b39f83d1c279d5b3d55db9/analysis/
Detection ratio:  9 / 50
First submission:  2014-01-26 02:24:49 GMT
Malwr Link:  https://malwr.com/analysis/YjhmYmFjMzAzMjdlNDJhYzlhYzIyNTU3NGI0MzBkMGU/

 

File name:  2014-01-26-malware-from-clocksflowers.us-01.exe
File size:  96.5 KB ( 98790 bytes )
MD5 hash:  713771623ac895731893c9a3ca4d3150
VirusTotal link:  https://www.virustotal.com/en/file/72228871d171164f212a2a652a833cf4433b9b31ec2c9cd6138eede460694017/analysis/
Detection ratio:  25 / 50
First submission:  2014-01-26 02:25:15 GMT
Malwr Link:  https://malwr.com/analysis/OTAyNzk4Y2MwN2U5NGFmOGE2OGJjY2IxZDA2YWI2ODk/

 

File name:  2014-01-26-malware-from-clocksflowers.us-02.exe
File size:  522.0 KB ( 534544 bytes )
MD5 hash:  d2aaa839f8a8861f7a214ea97540c57d
VirusTotal link:  https://www.virustotal.com/en/file/b193f8e95a02b40a688a7ad23fee4dbc97d8b49b567eefce08658d1ce292ae21/analysis/
Detection ratio:  5 / 49
First submission:  2014-01-26 02:25:41 GMT
Malwr Link:  https://malwr.com/analysis/OWM5MzRjMjJkZjY1NDI1NGJlMTc1NDNmZmFhMjI1ODY/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2014-01-26-Sweet-Orange-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-01-26-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.