2014-10-03 - SWEET ORANGE EK FROM 8.28.175.74 - B.EPAVERS.COM:17767 & K.EPAVERS.COM:17767

ASSOCIATED FILES:

• ZIP of the pcap:  2014-10-03-Sweet-Orange-EK-traffic.pcap.zip
• ZIP of the malware:  2014-10-03-Sweet-Orange-EK-malware.zip

 

NOTES:

• This actor continues to use ajax_data_source as the variable for the gate (see the screenshots section below) which I first documented on 2014-09-19.
• The malicious script from the comrpomised website is getting more obfuscated.  Interesting to see how this is evolving.
• Like the previous two times, today's malware payload (QBot) is digitally signed, and it didn't do anything on the infected VM.

 

RECENT ACTIVITY I'VE DOCUMENTED FROM THIS ACTOR:

• 2014-10-03 - Sweet Orange EK from 8.28.175.74 - b.epavers.com:17767 & k.epavers.com:17767
• 2014-09-25 - Sweet Orange EK from 8.28.175.67 - cdn.americasrapper.com:10016 & cdn5.blumaxmaterial.com:10016
• 2014-09-19 - Sweet Orange EK from 8.28.175.67 - cdn2.sweetgeorgicas.net:17982 & cdn5.sweetsgeorgica.com:17982
• 2014-09-04 - Sweet Orange EK from 38.84.134.208 - cdn.livistro.com:17982 & cdn5.marchepoulet.com:17982
• 2014-08-29 - Sweet Orange EK from 95.163.121.188 - cdn3.thecritico.com:16122 & cdn5.thecritico.mx:16122

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 148.251.247.5 - eofdreams.com - Compromised website
• 192.185.16.158 - img.broadviewhome.info - Redirect (gate)
• 8.28.175.74 - b.epavers.com:17767 and k.epavers.com:17767 - Sweet Orange EK

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 2014-10-03 01:57:52 UTC - 172.16.165.132:49174 - 148.251.247.5:80 - eofdreams.com - GET /
• 2014-10-03 01:57:52 UTC - 172.16.165.132:49175 - 148.251.247.5:80 - eofdreams.com - GET /tpl/images/jquery.js?ver=1.7.2
• 2014-10-03 01:58:21 UTC - 172.16.165.132:49186 - 192.185.16.158:80 - img.broadviewhome.info - GET /k?ts=681556379

 

SWEET ORANGE EK:

• 2014-10-03 01:58:22 UTC - 172.16.165.132:49201 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/birds.php?winter=3
• 2014-10-03 01:58:23 UTC - 172.16.165.132:49201 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/lLWZm
• 2014-10-03 01:58:26 UTC - 172.16.165.132:49210 - 8.28.175.74:17767 - k.epavers.com:17767 - GET /cars.php?index=1938
• 2014-10-03 01:58:38 UTC - 172.16.165.132:49215 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/U72cF2LobLT.jar
• 2014-10-03 01:58:38 UTC - 172.16.165.132:49217 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/DOGgN.jar
• 2014-10-03 01:58:38 UTC - 172.16.165.132:49216 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/U72cF2LobLT.jar
• 2014-10-03 01:58:38 UTC - 172.16.165.132:49216 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/U72cF2LobLT.jar
• 2014-10-03 01:58:39 UTC - 172.16.165.132:49216 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/U72cF2LobLT.jar
• 2014-10-03 01:58:39 UTC - 172.16.165.132:49216 - 8.28.175.74:17767 - b.epavers.com:17767 - GET /alterra/U72cF2LobLT.jar

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-03-Sweet-Orange-EK-flash-exploit.swf
File size:  5.1 KB ( 5183 bytes )
MD5 hash:  57d96870afc27ab4979da17b7bfbe4b3
Detection ratio:  3 / 55
First submission:  2014-09-24 19:13:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0be459401a83ee1ad588e744d14bda20a557bf908cd3e3866cec25e3821ee86d/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-03-Sweet-Orange-EK-malware-payload.exe
File size:  282.9 KB ( 289664 bytes )
MD5 hash:  0c7078a2e4f181feffec2808f6812e3f
Detection ratio:  12 / 55
First submission:  2014-10-02 21:56:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c5f37fec06826a04f1ce9bd5b916dd221800f5a17531aaba4705e771ac4eea8/analysis/
Malwr link:  https://malwr.com/analysis/YzIyNWEzMzAyNTlhNDMwZGEwNTY5NzQ2MTc4Y2U4ZWI/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-10-03 01:58:21 UTC - 172.16.165.132:49186 - 192.185.16.158:80 - ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2 (sid:2019146)
• 2014-10-03 01:58:22 UTC - 8.28.175.74:17767 - 172.16.165.132:49201 - ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 (sid:2017817)
• 2014-10-03 01:58:26 UTC - 172.16.165.132:49210 - 8.28.175.74:17767 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

• 2014-10-03 01:58:26 UTC - 8.28.175.74:17767 - 172.16.165.132:49210 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-03 01:58:26 UTC - 8.28.175.74:17767 - 172.16.165.132:49210 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

SCREENSHOTS FROM THE TRAFFIC

Malicious code in javascript from compromised website:

 

Redirect (gate) pointing to Sweek Orange EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-10-03-Sweet-Orange-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-10-03-Sweet-Orange-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.