2014-05-27 - FIESTA EK FROM 64.202.116.151 - BETTERS.IN.UA

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT:

FIESTA EK:

NOTES:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-27-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 10046 bytes )
MD5 hash:  91292f649c23ff7339c35d5651862643
Detection ratio:  0 / 53
First submission:  2014-05-27 03:41:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/599906e03b0931f5de0abee134a4d990ec995681dd2f334074f217328ae265f4/analysis/

File name:  2014-05-27-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15.2 KB ( 15609 bytes )
MD5 hash:  89881e33e533068bde2416b6a641bcbe
Detection ratio:  0 / 53
First submission:  2014-05-27 03:42:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e3e812cf2bd17710e9f370573591d7b9c8129b97b4a3623799f6ca2745216500/analysis/

 

JAVA EXPLOIT

File name:  2014-05-27-Fiesta-EK-flash-java.jar
File size:  7.4 KB ( 7561 bytes )
MD5 hash:  c0447d6f0ffd94e2c4268c457e9aff90
Detection ratio:  1 / 51
First submission:  2014-05-27 03:40:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6558539a9a51512893875aa977fa7591c441698587929da815c1f61bc73677b1/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-27-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5382 bytes )
MD5 hash:  d5504c146e1c906d02dc9309d6b49249
Detection ratio:  7 / 51
First submission:  2014-05-27 03:40:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e552576f2ca29102e793304a3fba50add822d4bb11a9b7488d4ce40279575458/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-27-Fiesta-EK-malware-payload.exe
File size:  265.0 KB ( 271360 bytes )
MD5 hash:  62e1eccb403a08c55d619c7ea5e44c5d
Detection ratio:  2 / 53
First submission:  2014-05-27 03:40:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97e10f7c6e9e3e5c994276bad0a1bbf5dfce2719fc043d01bc53ef68546c8be8/analysis/
Malwr link:  https://malwr.com/analysis/OGM5MDA0NWU5MGZkNGVjY2FmMmRlMmE3MmJkMGNiNmU/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.