2014-02-12 - COMRPOMISED SITE LED TO WHITEHOLE EK IN DEC 2013--NOW GOES TO FIESTA EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  Zp04aDKr.xap
File size:  5.2 KB ( 5337 bytes )
MD5 hash:  fd51f8ffbe8c9dbb323b2dc2ae63827e
Detection ratio:  1 / 50
First submission:  2014-02-11 03:52:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/b31485f99bea716f2f48a4f5d55b93d7941227eed668a8649c0e34b0b5419e56/analysis/

NOTE: This is the same Silverlight exploit seen in my previous Fiesta EK blog entry on 2014-02-11

 

JAVA EXPLOIT

File name:  M0tZPQin.jar
File size:  7.1 KB ( 7243 bytes )
MD5 hash:  10040755960a9a57cf4f0a1659acaed9
Detection ratio:  7 / 50
First submission:  2014-02-11 03:55:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/78c695acb7df1c727a7bc719040612230b05bed3826611c3961e113c78e7e0c6/analysis/

NOTE: This is the same Java exploit seen in my previous Fiesta EK blog entry on 2014-02-11

 

MALWARE PAYLOAD

File name:  flashplayer11_7r22082_216_win.exe
File size:  112.1 KB ( 114771 bytes )
MD5 hash:  5069e86c294cc34b32e7d3ea7fca8b2e
Detection ratio:  24 / 50
First submission:  2014-02-11 13:41:25 UTC
VirusTotal link: https://www.virustotal.com/en/file/21578db90c165942f1b0be8b2306b807e1347aa32595008a3259e37d35c4453e/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR FIESTA EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript redirect in the infected web page - www.kffl.com/

 

First redirect - sordonics.com/JobFiles/CMC/

 

Second redirect - retonad.info/ads/id_24853.swf and a Flash-based ad redirect

 

Fiesta EK domain delivers Silverlight exploit:
a.pimpmycar.ro/fvchd56/?4739944a4e800951475b45020b0f0653040f01020d56045a010555585d560700;5110411

 

Silverlight exploit delivers EXE payload:
a.pimpmycar.ro/fvchd56/?180ec0511077e4e25440555e510b07030100025e5752050a040a560407520650;1;6

 

Fiesta EK domain delivers Java exploit:
a.pimpmycar.ro/fvchd56/?706ed2f154a54b66585f545e560954030708045e5050560a0202500400505209

 

Java exploit delivers EXE payload:
a.pimpmycar.ro/fvchd56/?6ac08c4da04ab6b25519060b0a5806560659510b0c01045f035305515c010705;1;4

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.