2014-05-18 - FIESTA EK FROM 69.64.58.165 - OXQBCE.REDIRECTME.NET

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE:

FIESTA EK:

POST-INFECTION CALLBACK:

START OF CLICKFRAUD TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-18-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9988 bytes )
MD5 hash:  ae6a35c9a7aabe60f226880fa6ba6104
Detection ratio:  0 / 53
First submission:  2014-05-18 23:37:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9f695fe3fe1d013d1134177eed671ebb14d3938902ecc8af2b50908dfeeee688/analysis/

File name:  2014-05-18-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15.2 KB ( 15611 bytes )
MD5 hash:  f3192d933b04a282f99e3b3c13bb0d10
Detection ratio:  0 / 52
First submission:  2014-05-18 23:45:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f3de428e6516cd808c0188fcc3ea62c593bad66c93adeda92b8f251477e4a6bd/analysis/

 

JAVA EXPLOIT

File name:  2014-05-18-Fiesta-EK-java-exploit.jar
File size:  4.7 KB ( 4855 bytes )
MD5 hash:  075dcf72757e358109cee8fa7fb82800
Detection ratio:  1 / 53
First submission:  2014-05-18 07:26:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fb26ea2072d70cbbed4523a54ab31db3d0d0d1b39cc08524af32a2bb37c16a14/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-18-Fiesta-EK-silverlight-exploit.xap
File size:  5.2 KB ( 5358 bytes )
MD5 hash:  a920d4ead958746e4886859fc28dbcdb
Detection ratio:  1 / 52
First submission:  2014-05-18 23:38:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3601489a4eed7c048e564382d3b693583fca42d596def5419efc5bf9db37ddf5/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-18-Fiesta-EK-malware-payload.exe
File size:  132.0 KB ( 135172 bytes )
MD5 hash:  e0b471f2a607ca40ab40bf4d6888bb55
Detection ratio:  2 / 53
First submission:  2014-05-18 23:35:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/197b7fda3faf4581fcf14e16ce25a5dc1d680660fba07cbc0ef8e652a76fbdc6/analysis/
Malwr link:  https://malwr.com/analysis/Y2VkNGVmNzkyZmI4NDk4ZmI3MDQ5Mzc4OGU3NGY2YjQ/

 

POST-INFECTION ADDITIONAL MALWARE

File name:  UpdateFlashPlayer_61f283cb.exe
File size:  171.9 KB ( 175976 bytes )
MD5 hash:  dc8d510efeb6f88348ad2dfb82dee9fe
Detection ratio:  3 / 52
First submission:  2014-05-18 20:32:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cb5b72e31b606b30874f4833901b2106d0a79fbb6682ed031f735c2f9e204c9d/analysis/
Malwr link:  https://malwr.com/analysis/NTJjYzk4ZmYyOWFhNGQ5MGE0MTQ5M2VmOGI3MjJhNjA/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Regular page from compromised website:

 

The same page from compromised website with malicious iframe:

 

Fiesta EK sends Flash exploit:

 

Fiesta EK sends MSIE exploit CVE-2013-2551:

 

Fiesta EK sends Silverlight exploit:

 

Fiesta EK sends Java exploit:

 

All of the exploits were successful and delivered the same malware payload:

 

Post-infection additional malware sent:

 

Some of the callback traffic to molinaderrec.com:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.