Sweet Orange (SO) Cookie Filter

SO uses a predictable cookie field in the exploit requests.

HTTP Request Method = GET
Content Type = application/*java-archive OR Content Type = application/pdf

Regex cookie field for “^\w{5}=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$”

Examples:

hxxp://dro4.trochoi.biz/aPkMt > Malicious SO PDF Payload
hxxp://niqozi.pro:8284/QWdSGB > Malicious SO Payload
hxxp://aiydedzxu.dnset.com/1241 > Malicious SO JAR Payload

This may produce some false positives. There are also text/html files with this cookie field on them that are SO related. Filtering for these will dramatically increase your FP rate.

Comments are closed.