2014-05-22 - FIESTA EK FROM 64.202.116.151 - BUSIUSE.IN.UA - 3 EXAMPLES

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

EXAMPLE 1 - ASSOCIATED DOMAINS:

EXAMPLE 1 - TRAFFIC:

 

EXAMPLE 2 - ASSOCIATED DOMAINS:

EXAMPLE 2 - TRAFFIC:

 

EXAMPLE 3 - ASSOCIATED DOMAINS:

EXAMPLE 3 - TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

NOTE: The Flash, Java, and Silverlight exploits from these examples are the same as seen in yesterday's blog entry (link).

MALWARE PAYLOAD (FOR ALL 3 EXAMPLES):

File name:  2014-05-22-Fiesta-EK-malware-payload.exe
File size:  325.0 KB ( 332800 bytes )
MD5 hash:  ccb670083f002f43542ec6f9d0a0e2f3
Detection ratio:  12 / 53
First submission:  2014-05-23 00:41:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/398bf893868defc061d69572bc6a1fb70a6ec82fe8eaf3b2cbabe997345052f5/analysis/
Malwr link:  https://malwr.com/analysis/ZDM5MTVkNmI3MzU5NDQ5OGJjYzViODc2NTEzZjgwOGU/

 

SNORT EVENTS

SNORT EVENTS SEEN DURING THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS FROM THE TRAFFIC

Path to Fiesta EK from example 1:

 

Path to Fiesta EK from example 2:

 

Path to Fiesta EK from example 3:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.