2014-04-16 - FIESTA EK FROM 64.202.116.158 - CRYRIV.IN.UA - FLASH/SILVERLIGHT/JAVA EXPLOITS

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE AND REDIRECT

FIESTA EK

POST-INFECTION CALLBACK

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT - probably CVE-2014-0497

File name:  2014-04-16-Fiesta-EK-flash-exploit.swf
File size:  7.7 KB ( 7864 bytes )
MD5 hash:  ff67cea6c9b6a23f34b7f928d7414aae
Detection ratio:  1 / 51
First submission:  2014-04-16 01:42:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1508ad57405f803fcad9de0bf5c7cd5415597bdea110fa8914002658cb150a36/analysis/

 

SILVERLIGHT EXPLOIT - probably CVE-2013-0074

File name:  2014-04-11-Fiesta-EK-silverlight-exploit.xap
File size:  5.2 KB ( 5278 bytes )
MD5 hash:  6439eacac11540beea99cc4d8a392c1e
Detection ratio:  0 / 51
First submission:  2014-04-16 01:42:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a0560d48b65f91bdbff199e97cf6510e56202c11199f537d564ad21bfe068a24/analysis/

 

JAVA EXPLOIT

File name:  2014-04-11-Fiesta-EK-java-exploit.jar
File size:  7.2 KB ( 7405 bytes )
MD5 hash:  620401f8cf6b042fb7741dd5cb000630
Detection ratio:  1 / 51
First submission:  2014-04-16 01:43:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2a82e30848dc21557b8ea79b8bd8f35ef4f2294af60b6e8487b7147c94c2c2cb/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-16-Fiesta-EK-malware-payload.exe
File size:  133.6 KB ( 136852 bytes )
MD5 hash:  58924cfc85ae8f3677311b8b9b2a63d9
Detection ratio:  4 / 51
First submission:  2014-04-16 01:43:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/66a248361750d9723a924bdd8f96dbc3d052c9f6917cc0ed08c4aa6fe78a326a/analysis/
Malwr link:  https://malwr.com/analysis/YzYzZjg1YzgwMTNjNDBjMzhhZmFlYjFlZThhNWMzYzA/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

www.excelforum.com (compromised website) to valeriesn.com (redirect):

 

valeriesn.com (redirect) to cryriv.in.ua (Fiesta EK):

 

HTTP GET requests for the three exploits seen (Flash, Silverlight, and Java):

 

HTTP GET requests caused by the three exploits that all delivered the same malware payload:

 

Post-infection callback traffic seen:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.