2014-04-08 - FIESTA EK USES A FLASH EXPLOIT

ASSOCIATED FILES:

NOTES:

UPDATE

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

CHAIN OF EVENTS

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-04-08-Fiesta-EK-flash-exploit.swf
File size:  7.7 KB ( 7853 bytes )
MD5 hash:  eb343c450abd625d2119b98dcc0d62d7
Detection ratio:  0 / 51
First submission:  2014-04-08 05:34:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a3791ec300f8e082bd24e8c265bbf694b71d790ad90c5b3a68bcc6b762e99a68/analysis/
Malwr link:  https://malwr.com/analysis/ZWY0M2E0NDNmMzBhNDQyYTk1Y2MwNTE3ZjM0OThiYzI/

This appears to be an archive (CWS as the first 3 characters), and I could extract a larger file from it using 7-zip:

A quick check on the extracted file shows a Flash file with many more ASCII strings available:

File name:  2014-04-08-Fiesta-EK-flash-exploit-extracted.swf
File size:  9.9 KB ( 10160 bytes )
MD5 hash:  6494d37a7064fb4d767b790435eb5d6a
Detection ratio:  0 / 50
First submission:  2014-04-08 06:56:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c8bc25d1065d5983c3df5b6311fbae575ba1c26561d7c9c4acef0e4c5ce8324/analysis/
Malwr link:  https://malwr.com/analysis/NDlmMTVkMDc1YzVkNDc3YzliNDk2MGNkZTY0MWJiNmE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page:

 

Redirect:

 

Fiesta EK landing page:

 

Fiesta EK delivers Flash exploit:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.