2014-06-28 - SWEET ORANGE EK FROM 94.185.80.43 PORT 8590 - NULAPTRA.INDOLOCKER.COM - TYJALOS.TORNADO-365.COM

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-28-Sweet-Orange-EK-both-pcaps.zip
• ZIP of the malware:  2014-06-28-Sweet-Orange-EK-malware-payload.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 83.166.234.103 - zamcheck.org - ad traffic with malicious javascript
• 94.185.80.43 - nulaptra.indolocker.com and tyjalos.tornado-365.com - Sweet Orange EK on TCP port 8590
• 217.23.10.132 - callback traffic using DNS over UDP port 53 - from infected VM and Malwr.com sandbox analysis
• 50.77.231.183 - additional IP noted in callback traffic using DNS over UDP port 53 - from Malwr.com sandbox analysis

 

AD-BASED REDIRECT:

• 16:34:00 UTC - 192.168.204.215:49170 - 83.166.234.103:80 - zamcheck.org - GET /300x250/int.php?eh=51312

SWEET ORANGE EK:

• 16:34:03 UTC - 192.168.204.215:49173 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/config.php?wifi=69
• 16:34:06 UTC - 192.168.204.215:49173 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/CIUhYc   [Flash exploit]
• 16:34:13 UTC - 192.168.204.215:49176 - 94.185.80.43:8590 - tyjalos.tornado-365.com:8590 - GET /stars.php?click=469   [malware payload]
• 16:35:01 UTC - 192.168.204.215:49178 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/gRHfAMJC.jar
• 16:35:01 UTC - 192.168.204.215:49179 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/HIwdF.jar
• 16:35:01 UTC - 192.168.204.215:49177 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/gRHfAMJC.jar
• 16:35:02 UTC - 192.168.204.215:49178 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/gRHfAMJC.jar
• 16:35:02 UTC - 192.168.204.215:49178 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/gRHfAMJC.jar
• 16:35:06 UTC - 192.168.204.215:49178 - 94.185.80.43:8590 - nulaptra.indolocker.com:8590 - GET /includes/gRHfAMJC.jar

NOTE: The requests for .jar files all returned a 404 Not Found response.

 

POST-INFECTION TRAFFIC (FROM INFECTED VM):

• 16:34:46 - 192.168.204.215:56458 - 217.23.10.132:53 - Standard query ANY 5020.eea1d2de3883b2c4e0cbe303be43d075f43529d7577d7ef4a2.search.google.com
• 16:34:46 - 217.23.10.132:53 - 192.168.204.215:56458 - Standard query response A 0.0.0.0 TXT (539 bytes)
• 16:34:46 - 192.168.204.215:49513 - 217.23.10.132:53 - Standard query TXT 0.6932.images.google.com
• 16:34:46 - 217.23.10.132:53 - 192.168.204.215:49513 - Standard query response TXT (317 bytes)
• 16:34:46 - 192.168.204.215:62585 - 217.23.10.132:53 - Standard query TXT 1.6932.images.google.com
• 16:34:46 - 217.23.10.132:53 - 192.168.204.215:62585 - Standard query response TXT (317 bytes)
• 16:34:46 - 192.168.204.215:62655 - 217.23.10.132:53 - Standard query TXT 2.6932.images.google.com
• 16:34:47 - 217.23.10.132:53 - 192.168.204.215:62655 - Standard query response TXT (317 bytes)
• 16:34:47 - 192.168.204.215:58412 - 217.23.10.132:53 - Standard query TXT 3.6932.images.google.com
• 16:34:47 - 217.23.10.132:53 - 192.168.204.215:58412 - Standard query response TXT (317 bytes)
• 16:34:47 - 192.168.204.215:55368 - 217.23.10.132:53 - Standard query TXT 4.6932.images.google.com
• 16:34:47 - 217.23.10.132:53 - 192.168.204.215:55368 - Standard query response TXT (317 bytes)
• 16:34:47 - 192.168.204.215:53801 - 217.23.10.132:53 - Standard query TXT 5.6932.images.google.com
• 16:34:47 - 217.23.10.132:53 - 192.168.204.215:53801 - Standard query response TXT (317 bytes)
• 16:34:47 - 192.168.204.215:60608 - 217.23.10.132:53 - Standard query TXT 6.6932.images.google.com
• 16:34:47 - 217.23.10.132:53 - 192.168.204.215:60608 - Standard query response TXT (317 bytes)
• 16:34:47 - 192.168.204.215:56689 - 217.23.10.132:53 - Standard query TXT 7.6932.images.google.com
• 16:34:48 - 217.23.10.132:53 - 192.168.204.215:56689 - Standard query response TXT (317 bytes)
• 16:34:48 - 192.168.204.215:52530 - 217.23.10.132:53 - Standard query TXT 8.6932.images.google.com
• 16:34:48 - 217.23.10.132:53 - 192.168.204.215:52530 - Standard query response TXT (317 bytes)
• 16:34:48 - 192.168.204.215:64889 - 217.23.10.132:53 - Standard query TXT 9.6932.images.google.com
• 16:34:48 - 217.23.10.132:53 - 192.168.204.215:64889 - Standard query response TXT (317 bytes)
• 16:34:48 - 192.168.204.215:54490 - 217.23.10.132:53 - Standard query TXT 10.6932.images.google.com
• 16:34:48 - 217.23.10.132:53 - 192.168.204.215:54490 - Standard query response TXT (318 bytes)
• 16:34:48 - 192.168.204.215:64725 - 217.23.10.132:53 - Standard query TXT 11.6932.images.google.com
• 16:34:48 - 217.23.10.132:53 - 192.168.204.215:64725 - Standard query response TXT (318 bytes)
• 16:34:48 - 192.168.204.215:59060 - 217.23.10.132:53 - Standard query TXT 12.6932.images.google.com
• 16:34:49 - 217.23.10.132:53 - 192.168.204.215:59060 - Standard query response TXT (318 bytes)
• 16:34:49 - 192.168.204.215:50183 - 217.23.10.132:53 - Standard query TXT 13.6932.images.google.com
• 16:34:49 - 217.23.10.132:53 - 192.168.204.215:50183 - Standard query response TXT (318 bytes)
• 16:34:49 - 192.168.204.215:62561 - 217.23.10.132:53 - Standard query TXT 14.6932.images.google.com
• 16:34:49 - 217.23.10.132:53 - 192.168.204.215:62561 - Standard query response TXT (318 bytes)
• 16:34:49 - 192.168.204.215:59399 - 217.23.10.132:53 - Standard query TXT 15.6932.images.google.com
• 16:34:49 - 217.23.10.132:53 - 192.168.204.215:59399 - Standard query response TXT (318 bytes)
• 16:34:49 - 192.168.204.215:50369 - 217.23.10.132:53 - Standard query TXT 16.6932.images.google.com
• 16:34:49 - 217.23.10.132:53 - 192.168.204.215:50369 - Standard query response TXT (318 bytes)
• 16:34:49 - 192.168.204.215:53488 - 217.23.10.132:53 - Standard query TXT 17.6932.images.google.com
• 16:34:50 - 217.23.10.132:53 - 192.168.204.215:53488 - Standard query response TXT (318 bytes)
• 16:34:51 - 192.168.204.215:57821 - 217.23.10.132:53 - Standard query TXT 18.6932.images.google.com
• 16:34:51 - 217.23.10.132:53 - 192.168.204.215:57821 - Standard query response TXT (318 bytes)
• 16:34:51 - 192.168.204.215:60996 - 217.23.10.132:53 - Standard query TXT 19.6932.images.google.com
• 16:34:51 - 217.23.10.132:53 - 192.168.204.215:57821 - Standard query response TXT (318 bytes)
• Continues throughout PCAP of traffic from infected VM.

 

POST-INFECTION TRAFFIC (FROM MALWR.COM ANALYSIS OF MALWARE):

• 02:35:24 - 192.168.56.101:1036 - 217.23.10.132:53 - Standard query ANY 5020.51ab1a6978ac5fec63139d96c6ed6f1c0fed1a40b6ed52203f.search.google.com
• 02:35:24 - 217.23.10.132:53 - 192.168.56.101:1036 - Standard query response A 0.0.0.0 TXT (547 bytes)
• 02:35:24 - 192.168.56.101:1038 - 50.77.231.183:53 - Standard query TXT 0.4565.images.horoshoza.com
• 02:35:24 - 50.77.231.183:53 - 192.168.56.101:1038 - Standard query response TXT (320 bytes)
• 02:35:24 - 192.168.56.101:1039 - 50.77.231.183:53 - Standard query TXT 1.4565.images.horoshoza.com
• 02:35:25 - 50.77.231.183:53 - 192.168.56.101:1039 - Standard query response TXT (320 bytes)
• 02:35:25 - 192.168.56.101:1040 - 50.77.231.183:53 - Standard query TXT 2.4565.images.horoshoza.com
• 02:35:25 - 50.77.231.183:53 - 192.168.56.101:1040 - Standard query response TXT (320 bytes)
• 02:35:25 - 192.168.56.101:1041 - 50.77.231.183:53 - Standard query TXT 3.4565.images.horoshoza.com
• 02:35:26 - 50.77.231.183:53 - 192.168.56.101:1041 - Standard query response TXT (320 bytes)
• 02:35:26 - 192.168.56.101:1042 - 50.77.231.183:53 - Standard query TXT 4.4565.images.horoshoza.com
• 02:35:26 - 50.77.231.183:53 - 192.168.56.101:1042 - Standard query response TXT (320 bytes)
• 02:35:26 - 192.168.56.101:1043 - 50.77.231.183:53 - Standard query TXT 5.4565.images.horoshoza.com
• 02:35:26 - 50.77.231.183:53 - 192.168.56.101:1043 - Standard query response TXT (320 bytes)
• 02:35:26 - 192.168.56.101:1044 - 50.77.231.183:53 - Standard query TXT 6.4565.images.horoshoza.com
• 02:35:27 - 50.77.231.183:53 - 192.168.56.101:1044 - Standard query response TXT (320 bytes)
• 02:35:27 - 192.168.56.101:1045 - 50.77.231.183:53 - Standard query TXT 7.4565.images.horoshoza.com
• 02:35:28 - 50.77.231.183:53 - 192.168.56.101:1045 - Standard query response TXT (320 bytes)
• 02:35:28 - 192.168.56.101:1046 - 50.77.231.183:53 - Standard query TXT 8.4565.images.horoshoza.com
• 02:35:28 - 50.77.231.183:53 - 192.168.56.101:1046 - Standard query response TXT (320 bytes)
• 02:35:28 - 192.168.56.101:1047 - 50.77.231.183:53 - Standard query TXT 9.4565.images.horoshoza.com
• 02:35:28 - 50.77.231.183:53 - 192.168.56.101:1047 - Standard query response TXT (320 bytes)
• 02:35:28 - 192.168.56.101:1048 - 50.77.231.183:53 - Standard query TXT 10.4565.images.horoshoza.com
• 02:35:29 - 50.77.231.183:53 - 192.168.56.101:1048 - Standard query response TXT (321 bytes)
• 02:35:29 - 192.168.56.101:1049 - 50.77.231.183:53 - Standard query TXT 11.4565.images.horoshoza.com
• 02:35:29 - 50.77.231.183:53 - 192.168.56.101:1049 - Standard query response TXT (321 bytes)
• 02:35:29 - 192.168.56.101:1050 - 50.77.231.183:53 - Standard query TXT 12.4565.images.horoshoza.com
• 02:35:30 - 50.77.231.183:53 - 192.168.56.101:1050 - Standard query response TXT (321 bytes)
• 02:35:30 - 192.168.56.101:1051 - 50.77.231.183:53 - Standard query TXT 13.4565.images.horoshoza.com
• 02:35:30 - 50.77.231.183:53 - 192.168.56.101:1051 - Standard query response TXT (321 bytes)
• 02:35:30 - 192.168.56.101:1052 - 50.77.231.183:53 - Standard query TXT 14.4565.images.horoshoza.com
• 02:35:30 - 50.77.231.183:53 - 192.168.56.101:1052 - Standard query response TXT (321 bytes)
• 02:35:30 - 192.168.56.101:1053 - 50.77.231.183:53 - Standard query TXT 15.4565.images.horoshoza.com
• 02:35:31 - 50.77.231.183:53 - 192.168.56.101:1053 - Standard query response TXT (321 bytes)
• 02:35:31 - 192.168.56.101:1054 - 50.77.231.183:53 - Standard query TXT 16.4565.images.horoshoza.com
• 02:35:31 - 50.77.231.183:53 - 192.168.56.101:1054 - Standard query response TXT (321 bytes)
• 02:35:33 - 192.168.56.101:1055 - 50.77.231.183:53 - Standard query TXT 17.4565.images.horoshoza.com
• 02:35:34 - 50.77.231.183:53 - 192.168.56.101:1055 - Standard query response TXT (321 bytes)
• Continues throughout PCAP from Malwr.com's sandbox analysis of the malware.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-28-Sweet-Orange-EK-flash-exploit.swf
File size:  4.2 KB ( 4337 bytes )
MD5 hash:  ad63d2543428a9dbde3b4d9d905e8733
Detection ratio:  2 / 49
First submission:  2014-06-27 08:27:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ebfa23acd2e6c2f315f322640ec279788efe97b9580568af9b9b60c4d1eafbc7/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-28-Sweet-Orange-EK-malware-payload.exe
File size:  154.5 KB ( 158208 bytes )
MD5 hash:  41026646f5a0bab6f5bc0d118359b71a
Detection ratio:  28 / 54
First submission:  2014-06-28 13:57:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/255b5f2c8434eafd41a03cedaec29e45a46077cf464ea1c35bd54e58087c6a31/analysis/
Malwr link:  https://malwr.com/analysis/ZTc3MWE4MTY5YjViNGQ2MjkwMzBmOTJiNTBlMGVlZjk/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-06-28-Sweet-Orange-EK-both-pcaps.zip
• ZIP of the malware:  2014-06-28-Sweet-Orange-EK-malware-payload.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.