2014-03-26 - FIESTA EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-03-26-Fiesta-EK-silverlight-exploit.xap
File size:  5.1 KB ( 5265 bytes )
MD5 hash:  eb74945c840dfd74a171639f379777aa
Detection ratio:  22 / 51
First submission:  2014-03-19 15:32:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bed60e3715e542881d5e80784bdcbb4945a6a8375a63cbde6436a2782593a87c/analysis/

 

JAVA EXPLOIT

File name:  2014-03-26-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7462 bytes )
MD5 hash:  d529b2a500b94641fa89157f14d46608
Detection ratio:  11 / 51
First submission:  2014-03-22 03:59:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4d56c4a8ddf5bed48b6fc8641f87ff356e272d52c2516d4dfb00575f64e3e0c/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-26-Fiesta-EK-malware-payload.exe
File size:  224.0 KB ( 229376 bytes )
MD5 hash:  1d6c7eae75e425ae4f404385313ae77c
Detection ratio:  7 / 51
First submission:  2014-03-26 15:32:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/98c02526e9b512a7100296e10832e90d1eed5064633dd0110adcb9bfc0574d92/analysis/
Malwr link:  https://malwr.com/analysis/OGNiYjRjODgwYTg2NDdjYmE4ZTZmMjIyNjkzNjljYTU/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in web page from compromised server - www.christianforums.com /t7809794/

 

Redirect - hillkikins.com/kljhbat.js?ea39522c422199e4

 

Fiesta EK delivers Silverlight exploit -
bvtgbt.in.ua/57rcvhf/?15147e80e54dd1794259470f055e0905010702050c515a000a0002070503090452;5110411

 

Silverlight exploit delivers EXE payload -
bvtgbt.in.ua/57rcvhf/?0ed55026e3dea5e653150f0e070b0303005757040e0450060b5057060756030253;6

 

Fiesta EK delivers Java exploit -
bvtgbt.in.ua/57rcvhf/?2066fd4d6dec56c35d5f540d545f0551020205075d505654090505055402055205

 

Java exploit delivers the same EXE payload -
bvtgbt.in.ua/57rcvhf/?33b158b7dca0a804504b070a07035302030151000e0c000708065102075e530350;1;4

 

Post-infection callback traffic - kuyuacgsiowawsqa.org/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.