2014-02-04 - SWEET ORANGE EK OVER TCP PORT 60012

PCAP AND MALWARE

• ZIP of the PCAP:  2014-02-04-Sweet-Orange-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-02-04-Sweet-Orange-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 159.253.36.77 - hayatmersin.com - Comrpomised website
• 82.146.54.38 - destingshugo.us - Sweet Orange EK domain over TCP port 60012

INFECTION CHAIN OF EVENTS

• 03:34:14 UTC - 192.168.204.156:49329 - 159.253.36.77:80 - hayatmersin.com - GET /
• 03:34:16 UTC - 192.168.204.156:49335 - 82.146.54.38:60012 - destingshugo.us:60012 - GET /administratie/link.php?contactus=27
• 03:34:39 UTC - 192.168.204.156:49354 - 82.146.54.38:60012 - destingshugo.us:60012 - GET /administratie/DECwlWSw.jar
• 03:34:39 UTC - 192.168.204.156:49356 - 82.146.54.38:60012 - destingshugo.us:60012 - GET /administratie/hFkxYAC.jar
• 03:34:39 UTC - 192.168.204.156:49355 - 82.146.54.38:60012 - destingshugo.us:60012 - GET /administratie/DECwlWSw.jar
• 03:34:41 UTC - 192.168.204.156:49356 - 82.146.54.38:60012 - destingshugo.us:60012 - GET /directory.php?corp=501&media=224&create=4
  &pages=681&impressum=171&refer=436&extra=321&sony=436&subs=304&data=329
• 03:34:41 UTC - 192.168.204.156:49355 - 82.146.54.38:60012 - destingshugo.us:60012 - GET /directory.php?corp=501&media=224&create=4
  &pages=681&impressum=171&refer=436&extra=321&sony=436&subs=304&data=390

 

PRELIMINARY MALWARE ANALYSIS

FIRST JAVA EXPLOIT

File name:  DECwlWSw.jar
File size:  59.9 KB ( 61297 bytes )
MD5 hash:  fbb1d16a1eb58d1fd132a33a33ab4fcb
Detection ratio:  1 / 50
First submission:  2014-02-04 04:26:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/7ff7f50fefa8336ae519ab58509b9fa00e01a78d9b42b54566bc03147a2b2420/analysis/

 

SECOND JAVA EXPLOIT

File name:  hFkxYAC.jar
File size:  58.9 KB ( 60307 bytes )
MD5 hash:  8f106b5b47a5645fe55bf2f93463c2a3
Detection ratio:  1 / 50
First submission:  2014-02-04 04:25:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/c854708216a050b733079b3eee49d5b4690396d498343401cf19c3c9f5830776/analysis/

 

MALWARE PAYLOAD

File name:  flash_updater.exe
File size:  88.5 KB ( 90624 bytes )
MD5 hash:  300a1c31e1713292f4dd418e7c37c331
Detection ratio:  28 / 50
First submission:  2014-02-04 04:25:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/2a2c72c9d4c72f15c53ca65648cee8064026d38d3ae4f58cd23e49d5c8fa5f57/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR SWEET ORANGE EK TRAFFIC (FROM SECURITY ONION)

I didn't see anything, possibly because the exploit traffic was over TCP port 60012 instead of a normal HTTP port.  If it had happened over a normal HTTP port, this activity should've created an alert for ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request and other associated events.

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - hayatmersin.com/

 

Sweek Orange EK domain delivers one of the Java exploits - destingshugo.us:60012/administratie/DECwlWSw.jar

 

Sweek Orange EK domain delivers EXE payload - destingshugo.us:60012/directory.php?corp=501&media=224&create=4&pages=681
&impressum=171&refer=436&extra=321&sony=436&subs=304&data=390

NOTE: The EXE payload is delivered twice--once for each of the 2 Java exploits that were sent.

 

FINAL NOTES

Once again, here are links for PCAP file of the traffic and ZIP file of the associated malware:

• ZIP of the PCAP:  2014-02-04-Sweet-Orange-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-02-04-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.