2014-02-18 - FIESTA EK - JAVA EXPLOIT AND TWO PIECES OF MALWARE

ASSOCIATED FILES:

NOTES:

Found Fiesta EK traffic from a domain that was registered approximately 6 hours or so before the infection traffic.  It delivered 2 pieces of malware (as shown below from the user's AppData\Local\Temp folder:

     

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

EXPLOIT DOMAIN REGISTRATION

Fiesta EK domain name:  IiiIiiIoOoOoOoOoO.us
Sponsoring Registrar:  Enom, Inc.
Domain Registration Date:  2014-02-18 03:13 UTC (about 6 hours before today's infection traffic)
Domain Expiration Date:  2015-02-17
Name Servers:  dns1.registrar-servers.com   through   dns5.registrar-servers.com

INFECTION CHAIN OF EVENTS (all times UTC on 2014-02-18)

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  FWtZmp1y.jar
File size:  7.2 KB ( 7329 bytes )
MD5 hash:  19b146b18c6906f3aa282f772385b419
Detection ratio:  1 / 49
First submission:  2014-02-17 20:54:02 UTC
VirusTotal link: https://www.virustotal.com/en/file/719530e92c0e3c0f13623f1574dee494071eac8c8a621b4a0a1be2709d7749ac/analysis/

 

MALWARE PAYLOAD - FIRST FILE

File name:  01392737089584.exe
File size:  777.0 KB ( 795664 bytes )
MD5 hash:  b83bc9c5c6b3181bd3237926323a4c73
Detection ratio:  5 / 50
First submission:  2014-02-18 15:49:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/ce3610fe26a923cba07394a9a703069b3940206d7d7562fa59df82fd1dd65ea6/analysis/
Malwr link: https://malwr.com/analysis/MWQ5NjdkNzZmNDZiNDczMDg4MzdiOWY3ZDlmN2M1Zjk/

 

MALWARE PAYLOAD - SECOND FILE

File name:  11392737089584.exe
File size:  79.4 KB ( 81263 bytes )
MD5 hash:  dbfc6fb26a6b7160a38cd748d8cfef01
Detection ratio:  9 / 50
First submission:  2014-02-18 15:49:36 UTC
VirusTotal link: https://www.virustotal.com/en/file/f3c62e80e1419e933d28dac78ad8c50ad5c4f60bb480a5299d7ee539aa972cc0/analysis/
Malwr link: https://malwr.com/analysis/OTZlYzBmZjc1ZTViNDI3MmIzZTQ2MjVmZWUyMjUwYTQ/

 

SNORT EVENTS

SNORT EVENTS FOR THIS FIESTA EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.bukbesthotels.net/

 

Fiesta EK delivers Java exploit - iiiiiiioooooooooo.us/ov6hu7j/?4eac42987b35103b5b0a035807090b000251555800500903015651500350095d

 

Fiesta EK delivers first EXE payload - iiiiiiioooooooooo.us/ov6hu7j/?765efa43204e9236544e505e555a060b0102015e520304080205055651030405;1;4

 

Fiesta EK delivers second EXE payload - iiiiiiioooooooooo.us/ov6hu7j/?76af11b7204e9236544e045d020a500f0102555d0553520c0205515506535201;2;4

 

Post-infection callback traffic (returned a 404 Not Found response) - 178.86.17.32/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.