2014-03-13 - FIESTA EK DELIVERS CLICK FRAUD TROJAN

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS ON 2014-03-13

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS ON 2014-03-13

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-03-13-Fiesta-EK-silverlight-exploit.xap
File size:  5.1 KB ( 5242 bytes )
MD5 hash:  e49ae100637dacd6a5b2864215bb13e5
Detection ratio:  0 / 50
First submission:  2014-03-14 04:28:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/28e68f506986a0cf7f38110f274529f78f5d1491f2b78a3f7e84a4de64bc2c39/analysis/

 

JAVA EXPLOIT

File name:  2014-03-13-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7444 bytes )
MD5 hash:  0d412aa73830d622e2aef154d4ef6b3d
Detection ratio:  5 / 50
First submission:  2014-03-13 19:27:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/db17ffdda6f50170eb10973209b443aa3b3f45fb346db8d7d6088bc0a4b32d15/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-13-Fiesta-EK-malware-payload.exe
File size:  144.0 KB ( 147456 bytes )
MD5 hash:  f84d030c8efdd4feb2061b57faea8157
Detection ratio:  18 / 50
First submission:  2014-03-14 04:29:37 UTC
VirusTotal link: https://www.virustotal.com/en/file/be2c9730fcf5482e82d3bf99b895987b674163902b20b07e9b869ae25fd686e8/analysis/
Malwr link: https://malwr.com/analysis/YWQ0ZDNiYmZmZDhlNDZiNmIwZDIzOGRiZmZhZmQ0MGU/

 

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.mappery.com/maps-United-States

 

Fiesa EK delivers silverlight exploit -
ihbctxjkp.myvnc.com/1je6bsz/?79fc0a0e56341fb544551058095a0450040151580403005e020a545253570504;5110411

 

Silverlight exploit delivers EXE payload -
ihbctxjkp.myvnc.com/1je6bsz/?4891ceae73f59ff05748520a5a5e555007000e0a5707515e010b0b0000535404;6

 

Fiesta EK delivers Java exploit -
ihbctxjkp.myvnc.com/1je6bsz/?351ac5e448ba11635c5a535a5a0e5101000d065a5757550f0606035000035205

 

Java exploit delivers EXE payload -
ihbctxjkp.myvnc.com/1je6bsz/?02969a35b8fea056534a5c0d005a0700030a0e0d0d03030e05010b075a570654;1;4

 

Callback traffic - HTTP POST over port 443 - 188.165.106.64:443/76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388

 

A RELATED VM INFECTION

On 2014-03-11, I had infected a VM from the same comrpomised web site  The infection generated similar traffic; however, it was a different malware payload.  At first, the traffic is nearly identical:

However, in addition to the similar traffic noted above, I also saw the following Asprox-style traffic after the initial infection:

 

Shortly after the Asprox-style callback traffic, my machine started sending out Asprox-style malspam:

 

Here's what I saw for alerts on Security Onion on the 2014-03-11:

 

Here's the malware info:

2014-03-11 Silverlight exploit (same as my Fiesta EK infection on 2014-03-09):
https://www.virustotal.com/en/file/c9fb7cbbc084f64ec44cd93eb294920cf801f37bfca42d37f5d7dd0aaa83fedb/analysis/
2014-03-11 Java exploit (same as my Fiesta EK infection on 2014-03-09):
https://www.virustotal.com/en/file/3c4a475c7bf334eff3baed3adfad18dae63df8fa925630478b9eedbd94f351d5/analysis/
2014-03-11 malware payload: 01394553707483.exe
https://www.virustotal.com/en/file/a53018328fa4d5b2d6148eae6eeee4e12292cff1acea5a77d2568c1bffd89390/analysis/
2014-03-11 follow-up malware: UpdateFlashPlayer_ae6914ec.exe
https://www.virustotal.com/en/file/36531452b9d111d851c449e08f5d2a354e146270f5b2033a82727b340c8e9d1e/analysis/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.