2014-03-18 - FIESTA EK

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-03-18-Fiesta-EK-silverlight-exploit.xap
File size:  5.1 KB ( 5258 bytes )
MD5 hash:  b2c4558a4b2181f9978fd905754a3ea9
Detection ratio:  0 / 50
First submission:  2014-03-17 14:14:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2e243de7732da4488f9107ede50ad7b982966d92ccf566bcdb7e72181b3f9e3a/analysis/

 

JAVA EXPLOIT

File name:  2014-03-18-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7480 bytes )
MD5 hash:  abe1108a9d623a6fa9ee0ebf1abf5a5a
Detection ratio:  3 / 50
First submission:  2014-03-18 04:34:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/44a6ad41792c8ac893202282e6d7b3e122defee2f35a15b010cb7eba63085afa/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-18-Fiesta-EK-malware-payload.exe
File size:  296.0 KB ( 303104 bytes )
MD5 hash:  ad8fd1f78928fa0ccdb01c54a07ef396
Detection ratio:  4 / 50
First submission:  2014-03-18 04:35:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c2c0b4c8ed9716e904ad72fae5489a31a507e94f58e7a707c0bbb3437f41fd22/analysis/
Malwr link:  https://malwr.com/analysis/ODcyMTEwYWIwYjkzNDE3NmJjZmI5YjUxOGYyODYyNGY/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page -
forum.pafoa.org/rifles-42/38841-pgh-area-ak47-finder-seen-any-post-here-page-5.html

 

Redirect -
eleniteski.com/evatlqhdgs.js?f88efe02305b45c3

 

Fiesta EK delivers Silverlight exploit -
bsxedc.in.ua/8y3ig0t/?7221ef37b4242b0c445e440a575d00040f070b0a5104030c0201000606525100;5110411

 

Silverlight exploit delivers EXE payload -
bsxedc.in.ua/8y3ig0t/?28fd49dc91e5ab4951480d5f060257500a0d5f5f005b5458070b5453570d0654;6

 

Fiesta EK delivers Java exploit -
bsxedc.in.ua/8y3ig0t/?6a5876cbed81e3f4590e5703050d50510e540c03035453590352070f54020051

 

Java exploit delivers same EXE payload -
bsxedc.in.ua/8y3ig0t/?0f4925db5aee94ef531e5102000e575108530d02065754590555060e51010655;1;4

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.