2014-04-05 - FIESTA EK

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBAKC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT - CVE-2013-0074

File name:  2014-04-05-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5396 bytes )
MD5 hash:  85f7d443373e6150333752ce8ba14388
Detection ratio:  18 / 51
First submission:  2014-04-01 00:22:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/977514f84e79294e2c28664beeb5d629263eef7d40ca6919d0396e7e8dd9c9d4/analysis/

 

JAVA EXPLOIT

File name:  2014-04-05-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7460 bytes )
MD5 hash:  17575d806f5ad6eb1cfa951948f618c0
Detection ratio:  7 / 51
First submission:  2014-04-01 00:22:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/91578a8568e1d3f4b28fc87b9a4274923884b852d2190b51e53f828331d07082/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-05-Fiesta-EK-malware-payload.exe
File size:  138.4 KB ( 141687 bytes )
MD5 hash:  62639b4c0e3861c4afb71e2692e0f2bf
Detection ratio:  4 / 51
First submission:  2014-04-05 22:37:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ca596f7b9966f737768f184c8b2f539a0b87ebe55bdba750c61d4cadb9d8a03/analysis/
Malwr link:  https://malwr.com/analysis/MGIyMjAwMWEwODE5NDBhZTk2OTVjZmQwMzc1MjI0NmI/

 

SNORT EVENTS

SNORT EVENTS FROM THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

MISC

Embedded javascript in the infected web page that led to the Fiesta exploit kit:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.