2014-02-07 - FIESTA EK USES SILVERLIGHT AND JAVA EXPLOITS

ASSOCIATED FILES:

NOTES:

It's always fun to see one of these pop up right after an exploit kit infection:

This came from an infected Windows VM.  Let's check out the infection traffic that caused this...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  silverlight-exploit-from-64.202.116.124.xap
File size:  5.1 KB ( 5242 bytes )
MD5 hash:  7c4e66aabf823a05adb15e9b27211f5a
Detection ratio:  1 / 50
First submission:  2014-02-07 02:24:27 UTC
VirusTotal link: https://www.virustotal.com/en/file/8b802ed2c0834fd5fa358fecdaa69232c5232be3d056861c89f4e70fd35d3331/analysis/

 

JAVA EXPLOIT

File name:  java-exploit-from-64.202.116.124.jar
File size:  7.1 KB ( 7275 bytes )
MD5 hash:  43cdd56c3523ed44e04330a07784ea42
Detection ratio:  2 / 50
First submission:  2014-02-07 02:24:53 UTC
VirusTotal link: https://www.virustotal.com/en/file/36a6ce0a91bf3a740fee07cabab813f183132bebe943768a5795b05e0870207e/analysis/

 

MALWARE PAYLOAD

File name:  01391736645790.exe
File size:  108.2 KB ( 110810 bytes )
MD5 hash:  a6494f7ac9f727c087dec76ca2ef5703
Detection ratio:  11 / 50
First submission:  2014-02-07 02:25:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/ec31856050c1f0a39573a9d348ad72e2894cd9f9f20800b952f3813b7fe48fb6/analysis/

 

ADDITIONAL MALWARE SEEN IN USER'S LOCAL\APPDATA\TEMP FOLDER

File name: 
File size:  101.5 KB ( 103936 bytes )
MD5 hash:  9a48893bf6b2d183352ae962e337d73b
Detection ratio:  10 / 50
First submission:  2014-02-06 21:09:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/efc1b2a31a8f480e30affea1a0212e7e9c8a2585b8c5f525cb2ece10285a0a11/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR FIESTA EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.degreeinfo.com/business-mba-degrees/42642-associates-degree-top-up-degree-uk.html

 

Redirect - slyjbyvmit.com/adpohmfjz.js?95151048d3a0f415

 

Fiesta EK domain delivers Silverlight exploit - ujessy.in.ua/fvd5lr7/?558373252a66735646594e080408070205060f080351020e00075e0704040102;511041

 

EXE payload through the Silverlight exploit- ujessy.in.ua/fvd5lr7/?44f25ec574919ee5514c0309065e5602040751090107530e0106000606525002;1;6

 

Fiesta EK domain delivers Java exploit - ujessy.in.ua/fvd5lr7/?697f1afc22f4d8315956555d025a5354060a005d05035658030b515202565254

 

EXE payload through the Java exploit- ujessy.in.ua/fvd5lr7/?7446dc66c4acccb5544c510d575803010707030d5001060d0206520257540501;1;4

 

FINAL NOTES

Once again, here are links for PCAP file of the traffic and ZIP file of the associated malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.