Malware-Traffic-Analysis.net - 2014-11-15 - Vastkid[.]com generated Sweet Orange gate and failed Rig EK infection

2014-11-15 - VASTKID[.]COM GENERATED SWEET ORANGE GATE AND FAILED RIG EK INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Above: Two infection chains that didn't work out.

Above: Malicious script for Rig EK gate.

COMRPOMISED WEBSITE:

PATH TO SWEET ORANGE EK GATE:

2014-11-15 17:40:42 UTC - 107.150.19[.]133:80 - www.vastkid[.]com - GET /wp-content/themes/vastkid.com/js/hoverIntent.js
2014-11-15 17:40:48 UTC - 192.185.237[.]164:80 - cdn2.movetoclarksville[.]com - GET /k?t=607719325

RIG EK GATE:

RIG EK:

2014-11-15 17:41:13 UTC - 37.200.69[.]143:80 - siam.thosewhodo[.]org - GET /?PHPSSESID=
njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|MTljZDZkNmExZmRhMmJjNTVlYjRiODRmOWQ2OWYwOWQ

2014-11-15 17:41:17 UTC - 37.200.69[.]143:80 - siam.thosewhodo[.]org - GET /index.php?req=swf&num=5482&PHPSSESID=
njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|MTljZDZkNmExZmRhMmJjNTVlYjRiODRmOWQ2OWYwOWQ

2014-11-15 17:41:38 UTC - 37.200.69[.]143:80 - siam.thosewhodo[.]org - GET /index.php?req=xml&num=4488&PHPSSESID=
njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|MTljZDZkNmExZmRhMmJjNTVlYjRiODRmOWQ2OWYwOWQ

2014-11-15 17:41:40 UTC - 37.200.69[.]143:80 - siam.thosewhodo[.]org - GET /index.php?req=jar&num=362&PHPSSESID=
njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CMTljZDZkNmExZmRhMmJjNTVlYjRiODRmOWQ2OWYwOWQ

2014-11-15 17:41:41 UTC - 37.200.69[.]143:80 - siam.thosewhodo[.]org - GET /META-INF/services/javax.xml.datatype.DatatypeFactory

2014-11-15 17:41:44 UTC - 37.200.69[.]143:80 - siam.thosewhodo[.]org - GET /index.php?req=mp3&num=604138&PHPSSESID=
njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CMTljZDZkNmExZmRhMmJjNTVlYjRiODRmOWQ2OWYwOWQ

ET & ET PRO SIGNATURE HITS FROM SGUIL ON SECURITY ONION:

2014-11-15 17:40:48 UTC - 192.185.237[.]164:80 - ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014 (sid:2018737)
2014-11-15 17:40:48 UTC - 192.185.237[.]164:80 - ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2 (sid:2019146)
2014-11-15 17:41:13 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS RIG EK Landing URI Struct (sid:2019072)
2014-11-15 17:41:17 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Java Exploit to Client (sid:2013961)
2014-11-15 17:41:39 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (sid:2017064)
2014-11-15 17:41:39 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
2014-11-15 17:41:41 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs (sid:2016540)
2014-11-15 17:41:41 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps) (sid:2017579)
2014-11-15 17:41:41 UTC - 37.200.69[.]143:80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (sid:2018441)

SOURCEFIRE VRT SIGNATURE HITS FROM SNORT 2.9.6.2:

2014-11-15 17:41:17 UTC - 37.200.69[.]143:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (x4)
2014-11-15 17:41:41 UTC - 37.200.69[.]143:80 - [1:25562:4] FILE-JAVA Oracle Java obfuscated jar file download attempt
2014-11-15 17:41:41 UTC - 37.200.69[.]143:80 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt

MALWARE FROM THE EXPLOIT KIT:

Click here to return to the main page.