2014-04-18 - FIESTA EK FROM 64.202.116.158 - CPDELS.IN.UA - FLASH/SILVERLIGHT/JAVA EXPLOITS

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE AND REDIRECT

FIESTA EK

POST-INFECTION CALLBACK

 

PRELIMINARY MALWARE ANALYSIS

2014-04-18-Fiesta-EK-flash-exploit.swf  -  MD5 hash: ff67cea6c9b6a23f34b7f928d7414aae  (same as on 2014-04-16)

 

2014-04-18-Fiesta-EK-silverlight-exploit.xap  -  MD5 hash: 6439eacac11540beea99cc4d8a392c1e  (same as on 2014-04-16)

 

2014-04-18-Fiesta-EK-java-exploit.jar  -  MD5 hash: 620401f8cf6b042fb7741dd5cb000630  (same as on 2014-04-16)

 

2014-04-18-Fiesta-EK-malware-payload.exe  -  MD5 hash: 6ed7196849f3d671c9139c5ba1a9fecf

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS FROM THE TRAFFIC

2coolfishing.com (compromised website) to punkisti.com (redirect):

 

punkisti.com (redirect) to cpdels.in.ua (Fiesta EK):

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.