2014-02-28 - FIESTA EK USES CVE-2013-2465 JAVA EXPLOIT

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  AGYqT4Pu.jar
File size:  7.1 KB ( 7310 bytes )
MD5 hash:  c25e3daaf47242c7e18e20487d55deba
Detection ratio:  2 / 49
First submission:  2014-02-28 04:00:35 UTC
VirusTotal link: https://www.virustotal.com/en/file/cb457f802fdffcd4d3fa1bc304cc35d0ab40bea7b2d1cfc806b3847afe732c8b/analysis/


Virus Total identifies this as CVE-2013-2465

 

MALWARE PAYLOAD

File name:  01393606141963.exe
File size:  139.0 KB ( 142336 bytes )
MD5 hash:  1140efb1ad6b9cd5e5abd11ffe600162
Detection ratio:  4 / 46
First submission:  2014-02-28 17:08:23 UTC
VirusTotal link: https://www.virustotal.com/en/file/94b68d15b20be1e43222adacdd7fd7da67ada7f82e5de645e553b7a9e02f8cd0/analysis/
Malwr link: https://malwr.com/analysis/OTYyY2NmNTFkYzZhNGNkNjhmM2ViMGJlNzA3MGE5OGU/

 

SNORT EVENTS

SNORT EVENTS FOR FIESTA EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.quickr.org/Visa_ATM_132_NORTH_WIGGS_ST_GRIFFITH_IN_46319

 

Fiesta EK delivers CVE-2013-2465 Java exploit - ovpoiifspl.serveblog.net/sw5h3t2/?77788a57a0727b5958585503015a060f040700030c03050c020406085a055353

 

Java exploit delivers EXE payload - ovpoiifspl.serveblog.net/sw5h3t2/?4862a620fc643d4d57405309580d0108070801095554020b010b070203525403;1;4

 

Callback traffic using HTTP POST over TCP port 443 - 88.190.226.223:443/4340A857E64547408B7CD9D140255D29150912FF6B

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.