2014-02-11 - FIESTA EK DELIVERS CLICK FRAUD MALWARE

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  czJInaMB.xap
File size:  5.2 KB ( 5337 bytes )
MD5 hash:  fd51f8ffbe8c9dbb323b2dc2ae63827e
Detection ratio:  1 / 48
First submission:  2014-02-11 03:52:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/b31485f99bea716f2f48a4f5d55b93d7941227eed668a8649c0e34b0b5419e56/analysis/

 

FIESTA EK JAVA EXPLOIT

File name:  WPIKFt1N.jar
File size:  7.1 KB ( 7243 bytes )
MD5 hash:  10040755960a9a57cf4f0a1659acaed9
Detection ratio:  0 / 47
First submission:  2014-02-11 03:55:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/78c695acb7df1c727a7bc719040612230b05bed3826611c3961e113c78e7e0c6/analysis/

 

FIESTA EK MALWARE PAYLOAD

File name:  flashplayer11_7r14357_316_win.exe
File size:  119.9 KB ( 122828 bytes )
MD5 hash:  1d184f194298db74373598d8b570fef1
Detection ratio:  31 / 47
First submission:  2014-02-11 03:56:14 UTC
VirusTotal link: https://www.virustotal.com/en/file/a97344e8e651933f7035820f4697a1d0af217ac6cefc21f040c6c8c1645ceae2/analysis/

 

SWEET ORANGE EK MALWARE PAYLOAD

File name:  additional-malware-from-pop.qihuvy.eu.exe
File size:  295.5 KB ( 302592 bytes )
MD5 hash:  1d184f194298db74373598d8b570fef1
Detection ratio:  9 / 31
First submission:  2014-02-15 02:06:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/2c2a39c67396afc1a3e9a2b1fc062c507b8923121d8aba5139602ddf314c5ad7/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR FIESTA EK TRAFFIC (FROM SECURITY ONION)

 

SNORT EVENTS FOR PHYSICAL HOST INFECTION AND CLICK FRAUD TRAFFIC (FROM SECURITY ONION)

As mentioned earlier, the EXE payload didn't do anything on the VM, so I executed the EXE from a physical host's AppData/Local/Temp directory.

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page:
forum.freeadvice.com/landlord-tenant-issues-42/automatic-renewal-386017.html

 

Redirect:
newblogsherehally.com/sdqgfwev.js?27d69957fc93b5b2

 

Fiesta EK domain delivers Silverlight exploit:
ucrysy.in.ua/wu2shc5/?664175148e6103c3455a420a040e00000503030a0357010f030452080f0d5306;5110411

 

Fiesta EK Silverlight exploit delivers EXE payload:
ucrysy.in.ua/wu2shc5/?43d43b85d096ee70514b010f005909010706530f0700080e0101020d0b5a5a07;1;6

 

Fiesta EK domain delivers Java exploit:
ucrysy.in.ua/wu2shc5/?43d43b85d096ee70514b010f005909010706530f0700080e0101020d0b5a5a07;1;6

 

Fiesta EK Java exploit delivers EXE payload:
ucrysy.in.ua/wu2shc5/?6d31151460abbc20551c560a020e00000551040a0557010f03565508090d5306;1;4

 

Post infection, Sweet Orange EK delivers EXE payload:
pop.qihuvy.eu/calendar.php?books=574&hotel=4&wifi=701&create=171&video=691&test=408&hotel=200&watch=630

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.