2014-09-04 - SWEET ORANGE EK FROM 38.84.134.208 - CDN.LIVISTRO.COM:17982  &  CDN5.MARCHEPOULET.COM:17982

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-09-04-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-04-Sweet-Orange-EK-malware.zip

 

NOTES:

• Today reveals a new port for Sweet Orange exploit kit traffic--17982 instead of 16122 like I've seen in recent weeks.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 91.208.99.138 - www.daygame.com - Compromised website
• 192.185.16.158 - cdn.stringbassmusic.com - Redirect
• 38.84.134.208 - cdn.livistro.com:17982 and cdn5.marchepoulet.com:17982 - Sweet Orange EK

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 2014-09-04 13:09:54 UTC - 192.168.204.151:49172 91.208.99.138:80 - www.daygame.com - GET /
• 2014-09-04 13:09:56 UTC - 192.168.204.151:49181 91.208.99.138:80 - www.daygame.com - GET /site/wp-includes/js/jquery/jquery.js
• 2014-09-04 13:09:58 UTC - 192.168.204.151:49201 192.185.16.158:80 - cdn.stringbassmusic.com - GET /k?t=2247202961

 

SWEET ORANGE EK:

• 2014-09-04 13:10:00 UTC - 192.168.204.151:49228 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/stargalaxy.php?nebula=3
• 2014-09-04 13:10:03 UTC - 192.168.204.151:49228 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/hxwXHAp
• 2014-09-04 13:10:09 UTC - 192.168.204.151:49284 38.84.134.208:17982 - cdn5.marchepoulet.com:17982 - GET /cars.php?rfid=218
• 2014-09-04 13:10:26 UTC - 192.168.204.151:49296 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/cnJzjx.jar
• 2014-09-04 13:10:26 UTC - 192.168.204.151:49297 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/Fqxzdh.jar
• 2014-09-04 13:10:26 UTC - 192.168.204.151:49298 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/Fqxzdh.jar
• 2014-09-04 13:10:28 UTC - 192.168.204.151:49296 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/cnJzjx.jar
• 2014-09-04 13:10:28 UTC - 192.168.204.151:49297 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/Fqxzdh.jar
• 2014-09-04 13:10:28 UTC - 192.168.204.151:49298 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/Fqxzdh.jar
• 2014-09-04 13:10:29 UTC - 192.168.204.151:49298 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/Fqxzdh.jar
• 2014-09-04 13:10:30 UTC - 192.168.204.151:49298 38.84.134.208:17982 - cdn.livistro.com:17982 - GET /proxy/cpanel/Fqxzdh.jar

NOTE: All requests for the .jar files returned: 502 Bad Gateway

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT - CVE-2014-0515:

File name:  2014-09-04-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5156 bytes )
MD5 hash:  543632124be9b7488f53167db1cb197c
Detection ratio:  2 / 55
First submission:  2014-09-04 13:54:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fdaa4db0c66fe58c44dc66606c0db4271990bc3c5d6375d3b4476000cb22d6b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-04-Sweet-Orange-EK-malware-payload.exe
File size:  256.0 KB ( 262144 bytes )
MD5 hash:  ccc315550bc34b35c1b87fc4934952ba
Detection ratio:  31 / 52
First submission:  2014-09-02 09:23:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a3214d74f0a7cd021627e05abeb6bca15ad4e4a46b0dc60d35ad17414a3a76f7/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including INFO, POLICY or WEB_CLIENT rules):

• 2014-09-04 13:09:58 UTC - 192.168.204.151:49201 - 192.185.16.158:80 - ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014 (sid:2018737)
• 2014-09-04 13:10:00 UTC - 192.168.204.151:49228 - 38.84.134.208:17982 - ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page (sid:2018786)
• 2014-09-04 13:10:26 UTC - 192.168.204.151:49297 - 38.84.134.208:17982 - ET CURRENT_EVENTS Sweet Orange EK Thread Specific Java Exploit (sid:2018987)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-09-04 13:09:59 UTC - 192.185.16.158 - 192.168.204.151 - [139:1:1] (spp_sdf) SDF Combination Alert
• 2014-09-04 13:10:01 UTC - 38.84.134.208:17982 - 192.168.204.151:49228 - [120:6:1] (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
• 2014-09-04 13:10:09 UTC - 38.84.134.208:17982 - 192.168.204.151:49284 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-04 13:10:09 UTC - 38.84.134.208:17982 - 192.168.204.151:49284 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

HIGHLIGHTS FROM THE TRAFFIC

From the compromised website: malicious javascript containing the jquery_datepicker function and obfurscated URL for the redirect:

From the malicious javascript, take this string:  \u0068ttp:\u002f\u002f\u0063dn.stringbas\u0073\u006d\u0075\u0073ic.\u0063o\u006d\u002fk?t\u003d

Remove the "\u00" to better see the hexadecimal:  68ttp:2f2f63dn.stringbas736d7573ic.63o6d2fk?t3d

Translate the hexadecimal to ASCII, and the string is:  cdn.stringbassmusic.com/k?t=

 

Redirect pointing to Sweet Orange EK:

Uncompressed text:

var jquery_datepicker='K.n6U8;7K4v;7P4X=i70$Q3a$k2fP@2fN=r63;o64-H6He.2eH;l6hcR@o6Y9.I7P6@R6G9w-n7i3k-74M,72W;w6Yfl-2pej@6S3.6f@v6ud=i3aT!3k1=3o7,3N9J-38,32X@2tf@v70y;V7o2r@6fG-78O$x79,M2f!63J!v70=6P1=6e-65@6Rck@V2fi$73Q;7S4h@6P1N=N72$67,6s1$6cz!6U1u$7o8;79;Z2eO$I70K;j68T$j7t0-3fp@6eu;q6j5@62.7u5R,6c.61k,m3dS.i3o3';

Extract the hexadecimal from the jquery_datepicker variable:

68 74 74 70 3a 2f 2f 63 64 6e 2e 6c 69 76 69 73 74 72 6f 2e 63 6f 6d 3a 31 37 39 38 32 2f 70 72 6f 78 79 2f 63 70 61 6e 65 6c 2f 73 74 61 72 67 61 6c 61 78 79 2e 70 68 70 3f 6e 65 62 75 6c 61 3d 33

Convert the hexadecimal to ASCII, which translates to the Sweet Orange EK landing page:

http://cdn.livistro.com:17982/proxy/cpanel/stargalaxy.php?nebula=3

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-09-04-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-04-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.