2014-03-16 - FIESTA EK USES IE AND JAVA EXPLOITS

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-16-Fiesta-EK-java-exploit.jar
File size:  4.7 KB ( 4859 bytes )
MD5 hash:  6aa4afa29af9ccb2c02700ab2e253c3d
Detection ratio:  8 / 49
First submission:  2014-03-14 16:32:13 UTC
VirusTotal link::  https://www.virustotal.com/en/file/f91aff8edded984f61fc31635f6da9d06cebf85f67d3b8643fcb38c2e889e84c/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-16-Fiesta-EK-malware-payload.exe
File size:  134.0 KB ( 137216 bytes )
MD5 hash:  41d9f2930ccae800ad875938ca137b0a
Detection ratio:  14 / 48
First submission:  2014-03-16 03:01:22 UTC
VirusTotal link::  https://www.virustotal.com/en/file/1c0a0652547a9b71097e51483128025704835f9aaf50da3cf762ab97fc11372f/analysis/
Malwr link::  https://malwr.com/analysis/MmU0ODNlNDcwZTU5NGViNmEwMDI1MjIxMTZmOWNlYjk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.kroatie-vakantie.eu/

 

Fiesta EK delivers IE exploit -
xmjqxjfsub.serveblog.net/1je6bsz/?6cf412a28e4453ae5f060a0f08095006005756000a0603020d5655060402040604

 

IE exploit delivers malware payload -
xmjqxjfsub.serveblog.net/1je6bsz/?7da9b2913abb5f9a54140a025b0908050150510d59065b010c51520b57025c0503;5

 

Fiesta EK delivers Java exploit -
xmjqxjfsub.serveblog.net/1je6bsz/?4a4c6e8977aa8032551355580f5e090d025504570d515a090f54075103555d0d06

 

Java exploit delivers malware payload -
xmjqxjfsub.serveblog.net/1je6bsz/?2d068c19eca6f74d511c550d0158000d0450000203575309095103040d53540d00;1;2

 

Example of the malware callback traffic - 82.100.48.5:8080/76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.