2014-09-05 - SWEET ORANGE EK FROM 8.28.175.69 - NASHVILLE.LOCKMANENTERPRISES.NET:9290 & NATIONAL.LOCKMANENTERPRISES.ORG:9290

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-09-05-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-05-Sweet-Orange-EK-malware.zip

 

NOTES:

• This Sweet Orange EK example is not the same group who uses jquery_datepicker redirects and sends Qbot malware.
• Today's malvertizing-style infection chain usually point to Nuclear EK, so I was surprised to see Sweet Orange EK appear.
• The malware payload is a Zemot downloader that called for Rerdom.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 208.100.48.45 - www.centralpark.com - Original website
• 208.100.48.44 - ads.centralpark.com - Malicious ad traffic
• 50.7.108.162 - saw.piroscia.com - Redirect
• 8.28.175.69 - nashville.lockmanenterprises.net:9290 and national.LOCKMANENTERPRISES.ORG:9290 - Sweet Orange EK
• 65.34.68.192 - jufer-muirer.su - Post-infection traffic
• 109.251.107.244 - quret-huler.su - Post-infection traffic

 

ORIGINAL WEBSITE AND REDIRECT CHAIN:

• 2014-09-05 15:00:36 UTC - 192.168.204.145:49338 - 208.100.48.45:80 - www.centralpark.com - GET /
• 2014-09-05 15:00:37 UTC - 192.168.204.145:49356 - 208.100.48.44:80 - ads.centralpark.com - GET /www/delivery/ajs.php?zoneid=30&blockcampaign=1&cb=
  61215276831&charset=utf-8&loc=http%3A//www.centralpark.com/&referer=http%3A//www.bing.com/search%3Fq%3Dwww.+centralpark+.com%26qs%3Dn%26
  form%3DQBLH%26pq%3Dwww.+centralpark+.com%26sc%3D0-0%26sp%3D-1%26sk%3D%26cvid%3D8a9a52f2ae934a08bceaa6f3e3ec9219
• 2014-09-05 15:00:37 UTC - 192.168.204.145:49360 - 50.7.108.162:80 - saw.piroscia.com - GET /js/ads/show_ads.js?ver=3

 

SWEET ORANGE EK:

• 2014-09-05 15:00:38 UTC - 192.168.204.145:49367 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/wifi.php?styles=343
• 2014-09-05 15:00:38 UTC - 192.168.204.145:49367 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/riOthW
• 2014-09-05 15:01:04 UTC - 192.168.204.145:49374 - 8.28.175.69:9290 - national.LOCKMANENTERPRISES.ORG:9290 - GET /style.php?exec=129
• 2014-09-05 15:01:24 UTC - 192.168.204.145:49440 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/agEviyR.jar
• 2014-09-05 15:01:24 UTC - 192.168.204.145:49441 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/vqJZsPcG.jar
• 2014-09-05 15:01:24 UTC - 192.168.204.145:49439 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/vqJZsPcG.jar
• 2014-09-05 15:01:24 UTC - 192.168.204.145:49441 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/vqJZsPcG.jar
• 2014-09-05 15:01:24 UTC - 192.168.204.145:49441 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/vqJZsPcG.jar
• 2014-09-05 15:01:24 UTC - 192.168.204.145:49441 - 8.28.175.69:9290 - nashville.lockmanenterprises.net:9290 - GET /redesign/vqJZsPcG.jar

 

POST-INFECTION TRAFFIC:

• 2014-09-05 15:01:11 UTC - 192.168.204.145:49382 - 65.34.68.192:80 - jufer-muirer.su - GET /b/shoe/1480
• 2014-09-05 15:01:14 UTC - 192.168.204.145:49409 - 109.251.107.244:80 - quret-huler.su - GET /mod_articles-authl9.12/jquery/   [repeats several times]

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-05-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5156 bytes )
MD5 hash:  543632124be9b7488f53167db1cb197c
Detection ratio:  4 / 54
First submission:  2014-09-04 13:54:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fdaa4db0c66fe58c44dc66606c0db4271990bc3c5d6375d3b4476000cb22d6b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-05-Sweet-Orange-EK-malware-payload.exe
File size:  170.9 KB ( 174963 bytes )
MD5 hash:  470c1821d66be597a0426c704bfa0769
Detection ratio:  1 / 55
First submission:  2014-09-05 16:10:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/497ee10ac654ba43bd1a44652460bb3d132822e279ca75c8856aed08361629b7/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 8.28.175.69:9290 - 192.168.204.145:49367 - ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 (sid:2017817)
• 192.168.204.145:49367 - 8.28.175.69:9290 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
• 8.28.175.69:9290 - 192.168.204.145:49374 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)
• 192.168.204.145:49382 - 65.34.68.192:80 - ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
• 192.168.204.145:49382 - 65.34.68.192:80 - ET TROJAN Win32/Zemot Checkin (sid:2018643 and 2018644)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

• 2014-09-05 15:00:38 UTC - 8.28.175.69:9290 - 192.168.204.145:49367 - [120:6:1] (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
• 2014-09-05 15:01:05 UTC - 8.28.175.69:9290 - 192.168.204.145:49374 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-05 15:01:05 UTC - 8.28.175.69:9290 - 192.168.204.145:49374 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-09-05 15:01:05 UTC - 8.28.175.69:9290 - 192.168.204.145:49374 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-09-05 15:01:10 UTC - 192.168.204.145:61798 - 192.168.204.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• 2014-09-05 15:01:12 UTC - 192.168.204.145:63366 - 192.168.204.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• 2014-09-05 15:01:13 UTC - 192.168.204.145:63366 - 192.168.204.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-09-05-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-05-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.