2014-05-09 - FIESTA EK FROM - 205.234.214.168 - 9XGERH0.DIMATUR.PT

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

FIESTA EK:

POST-INFECTION CALLBACK:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-05-09-Fiesta-EK-java-exploit.jar
File size:  4.7 KB ( 4841 bytes )
MD5 hash:  cf6f537855ae300c490cf8287cf73f60
Detection ratio:  5 / 52
First submission:  2014-05-08 02:16:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/efa0080779a5218db2529203716c8e95a811e5f4c4e468184b9e0e7f45875ae6/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-09-Fiesta-EK-silverlight-exploit.xap
File size:  5.2 KB ( 5335 bytes )
MD5 hash:  6ecac70fe1a8202709168802b8af3831
Detection ratio:  0 / 52
First submission:  2014-05-09 07:14:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/18c4d378473ac1e5f97f467eac5efd20069fe378b6b916e439bb600ca9a734ea/analysis/

 

FLASH EXPLOIT

File name:  2014-05-09-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 10037 bytes )
MD5 hash:  044cbfdd392380c696c06e7e6cdbc4f6
Detection ratio:  0 / 52
First submission:  2014-05-08 15:28:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bcbabb7d8ae512ff3f8e8e986e698c8f96b8988397f172bc7c934ae559638b78/analysis/

File name:  2014-05-09-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  c94e253db4ecbdea4f03667b3d11b360
MD5 hash:  15.1 KB ( 15473 bytes )
Detection ratio:  0 / 52
First submission:  2014-05-09 07:15:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef22d0f8d90f43e02bd53e5b059754dce650493b15b2549dfcd37a7b42539760/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-09-Fiesta-EK-malware-payload.exe
File size: 
MD5 hash: 
Detection ratio: 
First submission: 
VirusTotal link:  https://www.virustotal.com/en/file/403a8e164843314f87f1514f7037ea5138d685cfbea5144e13c7edfbacea73ee/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

PATH FROM COMPROMISED WEBSITE TO FIESTA EK DOMAIN

From www.dressupgames.com/celebrities/hipster-barbie-dress-up-game-10507.html to www.dressupgames.com/assets/javascript/dug-javascript.js

 

From www.dressupgames.com/assets/javascript/dug-javascript.js to matrica.aktivator.biz/j.php?i

 

From matrica.aktivator.biz/j.php?i to fakal.info/swfeasy/banner.swf

 

From fakal.info/swfeasy/banner.swf?cid=lbo4kf4kh6kbbfoo854o2dp9a7 to rewol.info/adv.php?cid=lbo4kf4kh6kbbfoo854o2dp9a7
NOTE: This is a Flash ad-based redirect.

 

From rewol.info/adv.php?cid=lbo4kf4kh6kbbfoo854o2dp9a7 to 9xgerh0.dimatur.pt/0vzh954/2

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.