2014-03-28 - FIESTA EK USES MSIE, SILVERLIGHT, AND JAVA EXPLOITS

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-28-Fiesta-EK-java-exploit.jar
File size:  4.8 KB ( 4940 bytes )
MD5 hash:  5f3165b202080512f29479ccc9367178
Detection ratio:  2 / 51
First submission:  2014-03-27 15:43:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ffd34adddbcf280c4ae26e117e9bb0ae18a0d55ee4022248b27fe4154f57df0/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-03-28-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5400 bytes )
MD5 hash:  233535ba2620a88386d2ca6fc06a6c30
Detection ratio:  0 / 51
First submission:  2014-03-28 06:57:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d651cdf1248584d0ab5490f8f488c11d043c2f1daa4b378ebd1891280bfdb9a/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-28-Fiesta-EK-malware-payload.exe
File size:  122.2 KB ( 125171 bytes )
MD5 hash:  dc7139e1f9bc24fde1d7b1be9f4f644c
Detection ratio:  5 / 48
First submission:  2014-03-28 06:58:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/898815a16f711d511943558423a127d030bcbe645a3c30434b3e1536bac9114d/analysis/
Malwr link:  https://malwr.com/analysis/MzFkMGU2MGMwZDgwNGY3ZmE1YjBjNzk3MjI1ZDU1YWI/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in page from compromised web server

 

Redirect

 

Fiesa EK delivers MSIE exploit CVE-2013-2551

 

MSIE exploit CVE-2013-2551 delivers EXE payload

 

Fiesa EK delivers Silverlight exploit CVE-2013-0074

 

Silverlight exploit CVE-2013-0074 delivers EXE payload

 

Fiesa EK delivers Java exploit

 

Java exploit delivers EXE payload

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.