Malware-Traffic-Analysis.net - 2014-03-28 - Fiesta EK uses MSIE, Silverlight, and Java exploits

2014-03-28 - FIESTA EK USES MSIE, SILVERLIGHT, AND JAVA EXPLOITS

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

06:40:07 UTC - www.toonzone[.]net - GET /forums/adult-swim-toonami-forum/
06:40:08 UTC - ilinsting[.]com - GET /szjhmucw.js?3ad1359a5153d640
06:40:09 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?2
06:40:11 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?25b6d1b1cb76ec625b500e0d560a50040703520d5053520a0706510355090109
06:40:12 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?2d8a97d01a056fdd41084e5a0b0c56050752085a0d55540b07570b54080f0708;5110411
06:40:14 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?02bb88c62d7306c8534209590a035103050452590c5a530d0501515709000057;5
06:40:15 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?02bb88c62d7306c8534209590a035103050452590c5a530d0501515709000057;5;1
06:40:42 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?2ad5cdef3fc4ef9851110f0e515f57530757540e5706555d07525700525c065e;6
06:40:43 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?2ad5cdef3fc4ef9851110f0e515f57530757540e5706555d07525700525c065e;6;1
06:40:43 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?5998786b9c7a1ffe544b580305030457000f0903035a0659000a0a0d0600555a
06:40:49 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?59576b00f4cfd03e5641500c04590205000f050c0200000b000a0602075a5308;1;2
06:40:49 UTC - bgbyhn[.]in[.]ua - GET /hdjng94/?59576b00f4cfd03e5641500c04590205000f050c0200000b000a0602075a5308;1;2;1

JAVA EXPLOIT

File name: 2014-03-28-Fiesta-EK-java-exploit.jar
File size: 4,940 bytes
MD5 hash: 5f3165b202080512f29479ccc9367178
Detection ratio: 2 / 51
First submission: 2014-03-27 15:43:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/6ffd34adddbcf280c4ae26e117e9bb0ae18a0d55ee4022248b27fe4154f57df0/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-03-28-Fiesta-EK-silverlight-exploit.xap
File size: 5,400 bytes
MD5 hash: 233535ba2620a88386d2ca6fc06a6c30
Detection ratio: 0 / 51
First submission: 2014-03-28 06:57:39 UTC
VirusTotal link: https://www.virustotal.com/en/file/0d651cdf1248584d0ab5490f8f488c11d043c2f1daa4b378ebd1891280bfdb9a/analysis/

MALWARE PAYLOAD

File name: 2014-03-28-Fiesta-EK-malware-payload.exe
File size: 125,171 bytes
MD5 hash: dc7139e1f9bc24fde1d7b1be9f4f644c
Detection ratio: 5 / 48
First submission: 2014-03-28 06:58:24 UTC
VirusTotal link: https://www.virustotal.com/en/file/898815a16f711d511943558423a127d030bcbe645a3c30434b3e1536bac9114d/analysis/

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

2014-03-28 06:40:08 UTC - 190.123.47[.]198:80 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
2014-03-28 06:40:09 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS FiestaEK js-redirect
2014-03-28 06:40:09 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit
2014-03-28 06:40:09 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
2014-03-28 06:40:11 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
2014-03-28 06:40:12 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET POLICY Vulnerable Java Version 1.6.x Detected
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET INFO JAVA - Java Archive Download By Vulnerable Client
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
2014-03-28 06:40:43 UTC - 64.202.116[.]124:80 - ET TROJAN Generic - 8Char.JAR Naming Algorithm