2014-04-11 - FIESTA EK FROM 64.202.123.50 - 11IMAW1.DIMATUR.PT - FLASH/SILVERLIGHT/JAVA EXPLOITS

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT - CVE-2014-0497

File name:  2014-04-11-Fiesta-EK-flash-exploit.swf
File size:  7.7 KB ( 7853 bytes )
MD5 hash:  eb343c450abd625d2119b98dcc0d62d7
Detection ratio:  9 / 51
First submission:  2014-04-08 05:34:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a3791ec300f8e082bd24e8c265bbf694b71d790ad90c5b3a68bcc6b762e99a68/analysis/

 

SILVERLIGHT EXPLOIT - CVE-2013-0074

File name:  2014-04-11-Fiesta-EK-silverlight-exploit.xap
File size:  5.2 KB ( 5318 bytes )
MD5 hash:  15fa75694f0125cae6519fa35dc2f60d
Detection ratio:  2 / 51
First submission:  2014-04-09 13:30:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1af4c7dd99ed12269ade140756c246b2508e79c44f27344447f9ab93f1904538/analysis/

 

JAVA EXPLOIT - CVE-2013-2465

File name:  2014-04-11-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7440 bytes )
MD5 hash:  807e6834256ebdfcd6d5113878e2d337
Detection ratio:  2 / 50
First submission:  2014-04-11 10:29:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7e9cb2a9c2f420667b2b3cacc9cfe03800b1cb417bb32f6eddcd94eb8c8256e0/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-11-Fiesta-EK-malware-payload.exe
File size:  122.3 KB ( 125243 bytes )
MD5 hash:  4726f0152707a46a7c76e037e5a2b329
Detection ratio:  6 / 50
First submission:  2014-04-11 10:29:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bcd59c8d547e86a407b15efe23d358a6ca35efeb6e4cbd18c4995cd4148047a1/analysis/
Malwr link:  https://malwr.com/analysis/YmIwNmEwZjFjN2FhNGVjODhiYzNhMWQ1M2Q2OTFlZDc/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

From www.kffl.com to sordonics.com:

 

From sordonics.com to hizpor.info:

 

From hizpor.info to 11imaw1.dimatur.pt:

 

Fiesta EK delivers CVE-2014-0497 Flash exploit:

 

Flash exploit delivers EXE payload:

 

Fiesta EK delivers CVE-2013-0074 Silverlight exploit:

 

Silverlight exploit delivers the same EXE payload:

 

Fiesta EK delivers CVE-2013-2465 Java exploit:

 

Java exploit delivers the same EXE payload:

 

Post-infection callback traffic after the EXE payload was first delivered by the Flash exploit:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.