2014-05-12 - FIESTA EK FROM 69.64.58.165 - HKJSEJLH.SERVEQUAKE.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

WEB PAGE FROM COMPROMISED WEBSITE:

FIESTA EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

SEE 2014-05-09 BLOG ENTRY FOR FLASH, JAVA, AND SILVERLIGHT EXPLOITS

 

MALWARE PAYLOAD

File name:  2014-05-12-Fiesta-EK-malware-payload.exe
File size:  132.0 KB ( 135172 bytes )
MD5 hash:  5b63dad059b5e22bc3b5c338b308e40f
Detection ratio:  3 / 52
First submission:  2014-05-12 01:25:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ae04f29418b636d4f17f6c566dc05402873232a63b9b3d0584059eb65f9649fa/analysis/
Malwr link:  https://malwr.com/analysis/ZTA2OTJmNzczMjFhNDFkZDliZDFhN2NhODNjMGYyZTE/

 

POST-INFETION ASPROX-STYLE MALWARE

File name:  UpdateFlashPlayer_1cc580e5.exe
File size:  208.0 KB ( 212992 bytes )
MD5 hash:  90a88230d5b657ced3b2d71162a33cff
Detection ratio:  3 / 52
First submission:  2014-05-12 01:27:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/357f16844a204f813310cd0eb0af1204a4e2ce93eae97c9cd598ef2dbdf99b76/analysis/
Malwr link:  https://malwr.com/analysis/N2MxZGI3OWM0NDVkNDkxYTgzNTY3MzA4Yzk4M2EwNjI/

NOTE: The Malwr link indicates click-fraud traffic, which happened after I stopped the PCAP.

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious iframe in page from compromised website

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.