2014-07-08 - SWEET ORANGE EK FROM 94.185.82.199 PORT 16122 - CDN.AHASTORE.NET:16122

PCAP AND MALWARE:

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-07-08-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-07-08-Sweet-Orange-EK-malware.zip

NOTES:

• Thanks again to Malwageddon who tipped me off to this.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 98.138.19.143 - www.dukeupdate.com - Compromised website
• 192.185.237.164 - cdn2.movetoclarksville.com - Redirect
• 94.185.82.199 - cdn.ahastore.net:16122 - Sweet Orange EK on port 16122

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 02:52:53 UTC - 192.168.204.220:51523 - 98.138.19.143:80 - www.dukeupdate.com - GET /
• 02:52:53 UTC - 192.168.204.220:51524 - 98.138.19.143:80 - www.dukeupdate.com - GET /js/statcounter.js
• 02:52:54 UTC - 192.168.204.220:51531 - 192.185.237.164:80 - cdn2.movetoclarksville.com - GET /k?t=2134175512

SWEET ORANGE EK:

• 02:52:55 UTC - 192.168.204.220:51536 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/stargalaxy.php?nebula=3
• 02:52:59 UTC - 192.168.204.220:51536 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/hxwXHAp   [Flash exploit]
• 02:53:03 UTC - 192.168.204.220:51536 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /cars.php?staff=227   [malware payload]
• 02:53:24 UTC - 192.168.204.220:51538 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/cnJzjx.jar
• 02:53:24 UTC - 192.168.204.220:51541 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/Fqxzdh.jar
• 02:53:24 UTC - 192.168.204.220:51542 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/Fqxzdh.jar
• 02:53:25 UTC - 192.168.204.220:51542 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/Fqxzdh.jar
• 02:53:26 UTC - 192.168.204.220:51542 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/Fqxzdh.jar
• 02:53:27 UTC - 192.168.204.220:51542 - 94.185.82.199:16122 - cdn.ahastore.net:16122 - GET /orders_temp/pic/Database_Administration/Fqxzdh.jar

NOTE: The GET requests for .jar files all returned a "404 Not Found" response.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-07-08-Sweet-Orange-EK-flash-exploit.swf
File size:  4.2 KB ( 4344 bytes )
MD5 hash:  5becfc90fed8bc85cda46468e264f818
Detection ratio:  1 / 44
First submission:  2014-07-08 03:40:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1cf9e9c36fe1a6afebad5c0319a70bd93db6506d5c04ebc46281a72643cc9490/analysis/

 

MALWARE PAYLOAD

File name:  2014-07-08-Sweet-Orange-EK-malware-payload.exe
File size:  252.0 KB ( 258048 bytes )
MD5 hash:  063222dc6d73da57da5180334be0efa5
Detection ratio:  14 / 53
First submission:  2014-07-07 13:30:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6fb0ae0acec0bbdf1a0fe32bf9df850927c8f1a7b08dff316759b86cf0c3490b/analysis/
Malwr link:  https://malwr.com/analysis/MzE0ZWUyZmZiZDYyNDE0Mjk2NWEyMDNjYTliMTVkYTQ/

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript from compromised website:

 

Redirect:

 

Sweet Orange EK landing page:

 

Sweet EK delivers CVE-2014-0515 Flash exploit:

 

EXE payload sent after successful Flash exploit:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-07-08-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-07-08-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.