Malware-Traffic-Analysis.net - 2014-09-25

2014-09-25 - SWEET ORANGE EK - 8.28.175.67 - CDN.AMERICASRAPPER.COM:10016 - CDN5.BLUMAXMATERIAL.COM:10016

ASSOCIATED FILES:

ZIP of the pcap: 2014-09-25-Sweet-Orange-EK-traffic.pcap.zip
ZIP of the malware: 2014-09-25-Sweet-Orange-EK-malware.zip

NOTES:

This actor continues to use ajax_data_source as the variable for the gate (see the screenshots section below) which I first documented on 2014-09-19.
Like last time, today's malware payload (QBot) is digitally signed, and it didn't do anything on the infected VM.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

184.172.39.195 - www.pavtube.com - Compromised website
192.185.16.158 - yimg.1stdayofwinter.com - Redirect (gate)
8.28.175.67 - cdn.americasrapper.com:10016 & cdn5.blumaxmaterial.com:10016 - Sweet Orange EK

FIRST RUN - COMPROMISED WEBSITE AND REDIRECT CHAIN:

16:17:38 UTC - 192.168.204.139:51245 - 184.172.39.195:80 - www.pavtube.com - GET /
16:17:39 UTC - 192.168.204.139:51251 - 184.172.39.195:80 - www.pavtube.com - GET /public/temp/js/jquery.js
16:17:40 UTC - 192.168.204.139:51252 - 192.185.16.158:80 - yimg.1stdayofwinter.com - GET /k?ts=2355751810

FIRST RUN - SWEET ORANGE EK:

16:17:42 UTC - 192.168.204.139:51263 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/office.php?record=3
16:17:46 UTC - 192.168.204.139:51269 - 8.28.175.67:10016 - cdn5.blumaxmaterial.com:10016 - GET /cars.php?asia=417&list=2414&timeline=4&tech=445&
image=171&paper=2277&subs=807
16:17:59 UTC - 192.168.204.139:51276 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/ZQDMUEONxBnaUGrbMz.jnlp
16:17:59 UTC - 192.168.204.139:51275 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/applet.jnlp
16:17:59 UTC - 192.168.204.139:51275 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/applet.jnlp
16:17:59 UTC - 192.168.204.139:51276 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/ZQDMUEONxBnaUGrbMz.jnlp
16:18:00 UTC - 192.168.204.139:51275 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/applet.jnlp
16:18:00 UTC - 192.168.204.139:51276 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /finance/ZQDMUEONxBnaUGrbMz.jnlp

SECOND RUN - COMPROMISED WEBSITE AND REDIRECT CHAIN:

16:21:28 UTC - 192.168.204.138:49176 - 184.172.39.195:80 - www.pavtube.com - GET /
16:21:28 UTC - 192.168.204.138:49176 - 184.172.39.195:80 - www.pavtube.com - GET /public/temp/js/jquery.js
16:21:30 UTC - 192.168.204.138:49192 - 192.185.16.158:80 - yimg.1stdayofwinter.com - GET /k?ts=3464817844

SECOND RUN - SWEET ORANGE EK:

16:21:32 UTC - 192.168.204.138:49201 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /vmailadmin/app_code/office.php?record=3
16:21:50 UTC - 192.168.204.138:49212 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /vmailadmin/app_code/mpQOzOIOlV.jar
16:21:50 UTC - 192.168.204.138:49214 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /vmailadmin/app_code/mpQOzOIOlV.jar
16:21:50 UTC - 192.168.204.138:49213 - 8.28.175.67:10016 - cdn.americasrapper.com:10016 - GET /vmailadmin/app_code/MLhBhT.jar
16:21:53 UTC - 192.168.204.138:49215 - 8.28.175.67:10016 - cdn5.blumaxmaterial.com:10016 - GET /cars.php?asia=417&list=2414&timeline=4&tech=445&
image=171&paper=2277&subs=807&investor=414
16:21:53 UTC - 192.168.204.138:49216 - 8.28.175.67:10016 - cdn5.blumaxmaterial.com:10016 - GET /cars.php?asia=417&list=2414&timeline=4&tech=445&
image=171&paper=2277&subs=807&investor=492

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT 1 OF 2

File name: 2014-09-25-Sweet-Orange-EK-java-exploit-1-of-2.jar
File size: 46.2 KB ( 47354 bytes )
MD5 hash: 62d5d60888665de3026a3f509c1b7fa2
Detection ratio: 2 / 55
First submission: 2014-09-26 13:02:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/f7fee0ec0f7edd204d28521739b2f1976625aea1517ba2ed05cb3708df327b7a/analysis/

JAVA EXPLOIT 2 OF 2

File name: 2014-09-25-Sweet-Orange-EK-java-exploit-2-of-2.jar
File size: 46.5 KB ( 47625 bytes )
MD5 hash: 9558bb2d674ec23a16d8739952e26f57
Detection ratio: 2 / 55
First submission: 2014-09-26 13:02:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/caee03cc15a21c76c5b396560c76b9779e535857982b7f305eca33391d008250/analysis/

MALWARE PAYLOAD

File name: 2014-09-25-Sweet-Orange-EK-malware-payload.exe
File size: 274.9 KB ( 281472 bytes )
MD5 hash: 9760ee7192477d991b0cf8b6a25856a7
Detection ratio: 11 / 55
First submission: 2014-09-25 15:30:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/dc65a1a9c2bb3752f84b29f5dd21b2a08c2b052b3af77ea22c203cb21818c166/analysis/

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

16:17:40 UTC - 192.168.204.139:51252 - 192.185.16.158:80 - ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2 (sid:2019146)
16:17:42 UTC - 8.28.175.67:10016 - 192.168.204.139:51263 - ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 (sid:2017817)
16:21:30 UTC - 192.168.204.138:49192 - 192.185.16.158:80 - ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2 (sid:2019146)
16:21:50 UTC - 8.28.175.67:10016 - 192.168.204.138:49212 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

2014-09-25 16:17:46 UTC - 8.28.175.67:10016 - 192.168.204.139:51269 - [1:11192:16] FILE-EXECUTABLE download of executable content
2014-09-25 16:17:46 UTC - 8.28.175.67:10016 - 192.168.204.139:51269 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

HIGHLIGHTS FROM THE TRAFFIC

Malicious script served from compromised website:

Gate pointing to Sweet Orange EK:

FINAL NOTES

Once again, here are the associated files:

ZIP of the pcap: 2014-09-25-Sweet-Orange-EK-traffic.pcap.zip
ZIP file of the malware: 2014-09-25-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.