2014-05-21 - FIESTA EK FROM 64.202.116.151 - BIZZESS.IN.UA

ASSOCIATED FILES:

NOTES:


For the 2d and 3d lines--I was running Flash 11.9.900.170 and Silverlight 4.0.50524
  • Here's today's example:

  • For the 2d and 3d lines--I was running Flash 12.0.0.38 and Silverlight 5.1.10411
  • Notice how the question marks after the second slash are gone from today's example.
  •  

    CHAIN OF EVENTS

    ASSOCIATED DOMAINS:

    COMPROMISED WEBSITE AND REDIRECT:

    FIESTA EK:

     

    PRELIMINARY MALWARE ANALYSIS

    FLASH EXPLOIT

    File name:  2014-05-21-Fiesta-EK-flash-exploit.swf
    File size:  9.8 KB ( 10058 bytes )
    MD5 hash:  3a20893aef34ac59c4ada0405e3d4f64
    Detection ratio:  0 / 48
    First submission:  2014-05-21 05:23:01 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/5e34c7a8942f0a3273400a9303864a5790042a865bfab79e2dd04ea2eb1e5af1/analysis/

    File name:  2014-05-21-Fiesta-EK-flash-exploit-decompressed.swf
    File size:  15.2 KB ( 15547 bytes )
    MD5 hash:  8b4c02f809aa52b875e3d895c1be80ab
    Detection ratio:  0 / 53
    First submission:  2014-05-21 05:39:15 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/0e173178fea6075f500cf956cd962f2af2cb492028552ef35168d6449cedf90d/analysis/

     

    JAVA EXPLOIT

    File name:  2014-05-21-Fiesta-EK-java-exploit.jar
    File size:  7.4 KB ( 7580 bytes )
    MD5 hash:  7b50f95326282f9ae861e96dbf3e62f6
    Detection ratio:  1 / 51
    First submission:  2014-05-21 05:22:42 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/8b07c28b6c6dcee427532f13a83162f1c5f0498e69641ee5218570b2adf238e1/analysis/

     

    SILVERLIGHT EXPLOIT

    File name:  2014-05-21-Fiesta-EK-Silverlight-exploit.xap
    File size:  5.2 KB ( 5373 bytes )
    MD5 hash:  b7c1899398410839c2877d241872b310
    Detection ratio:  6 / 53
    First submission:  2014-05-21 05:22:27 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/90e5cee826d5c52fe751ae322114efcf65c8d727ef78d36708b4633032784a7e/analysis/

     

    MALWARE PAYLOAD

    File name:  2014-05-21-Fiesta-EK-malware-payload.dll
    File size:  273.5 KB ( 280064 bytes )
    MD5 hash:  dd2ec0ecfc627d40905fc5df55675053
    Detection ratio:  6 / 51
    First submission:  2014-05-21 05:20:04 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/f5400c12b0ed57875f895c6cd0e4d70ad8ebcc790990a2a6f8248673c004553b/analysis/
    Malwr link:  https://malwr.com/analysis/YTRlODgzMzNkYTE4NDRkZDkxNWJmODdhZjA1NTNhMTA/

     

    SNORT EVENTS

    SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

     

    HIGHLIGHTS FROM THE TRAFFIC

    Embedded javascript in page from compromised website (points to the redirect):

     

    Redirect:

     

    Fiesta EK delivers Flash exploit:

     

    Fiesta EK delivers Silverlight exploit:

     

    Fiesta EK delivers Java exploit:

     

    The 3 exploits were successful and delivered the same EXE payload, encrypted or otherwise obfuscated:

     

    FINAL NOTES

    Once again, here are links for the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.