2014-03-02 - FIESTA EK USES MSIE, SILVERLIGHT, AND JAVA EXPLOITS

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  X5Nm2aYi.jar
File size:  7.1 KB ( 7310 bytes )
MD5 hash:  c25e3daaf47242c7e18e20487d55deba
Detection ratio:  3 / 50
First submission:  2014-02-28 04:00:35 UTC
VirusTotal link: https://www.virustotal.com/en/file/cb457f802fdffcd4d3fa1bc304cc35d0ab40bea7b2d1cfc806b3847afe732c8b/analysis/

 

SILVERLIGHT EXPLOIT

File name:  tlcosA2O.xap
File size:  5.3 KB ( 5380 bytes )
MD5 hash:  41c1598c3a96b6da57e4a8e293c7239d
Detection ratio:  9 / 49
First submission:  2014-02-28 03:56:56 UTC
VirusTotal link: https://www.virustotal.com/en/file/dd9da2c36a12f335d424f987999244bd20790ce29c8177bd90c5860743fd3a51/analysis/

 

MALWARE PAYLOAD

File name:  01393733744523.exe
File size:  109.4 KB ( 112005 bytes )
MD5 hash:  0169092805ce5ec88ad307d6f8b579e5
Detection ratio:  9 / 50
First submission:  2014-03-02 04:17:44 UTC
VirusTotal link: https://www.virustotal.com/en/file/1a0264ccb27db678a0e3f49c88702d808c25e13985faad345e615df34d667320/analysis/
Malwr link: https://malwr.com/analysis/NmU2ZDUwYjZkOTU0NDk2ZmIyZDA1ZDU5ZjE2NzUzNDc/

 

SNORT EVENTS

SNORT EVENTS FOR FIESTA EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript from infected web page - www.yotatech.com/f116/replacing-valve-stem-seals-diy-job-98112/

 

Redirect - bekkisnikkic.com/tsghrfb.js?a671c3e1f18ba48a

 

Fiesta EK delivers MSIE exploit:
azxder.in.ua/sb6r1yl/?63c51312c484071c5f560f0e03080700070b510e05510109030052075303030b

 

MSIE exploit delivers EXE payload:
azxder.in.ua/sb6r1yl/?4746c00c303604e657475f0d510b0651050f060d57520058010405040100025a;6

 

Fiesta EK delivers Silverlight exploit (did not deliver EXE payload):
azxder.in.ua/sb6r1yl/?5f5b169815f784a3460a4359030d0f0a045e0759055409030055045053060b01;5110411

 

Fiesta EK delivers Java exploit:
azxder.in.ua/sb6r1yl/?34757ad54289c4695c5b550e055a5207020c050e0303540e0607060755515700

 

Java exploit delivers EXE payload:
azxder.in.ua/sb6r1yl/?003c1a3bfb3d3b4053485658035a05500108015805030359050302515351015b;1;4

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.