2014-06-05 - FIESTA EK FROM 64.202.116.151 - DOGINTOO.IN.UA

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

FIESTA EK:

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-05-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9999 bytes )
MD5 hash:  7968f2df33712bc73561930180b1a1a8
Detection ratio:  1 / 50
First submission:  2014-06-04 22:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f629890d379bc3795f8526ee9c93eb4f3fee65807b8e398e0c0273d0106c4ba2/analysis/

File name:  2014-06-05-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15.3 KB ( 15662 bytes )
MD5 hash:  3c0ef113f37e46a1b8ed10f2457d7111
Detection ratio:  1 / 51
First submission:  2014-06-05 22:09:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2ef370bfcd64ffb91ac5e1ff28d41f71504a49cbbcba178df5a95ba6619971f/analysis/

 

JAVA EXPLOIT

File name:  2014-06-05-Fiesta-EK-java-exploit.jar
File size:  4.7 KB ( 4766 bytes )
MD5 hash:  22341b4cebca1696647a4966a9bf93ef
Detection ratio:  6 / 51
First submission:  2014-06-05 17:25:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b2740cf3612a235ac6f2c4a4969ce59883bc81bcfd9c3db9723b05316a807479/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-05-Fiesta-EK-silverlight-exploit.xap
File size:  11.2 KB ( 11458 bytes )
MD5 hash:  12952a3839c4fbb3f315fb55ac3b77b2
Detection ratio:  0 / 50
First submission:  2014-06-05 22:09:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/514cec2e3ee686bc7d171ec424bb54b4ab88dfcb2b9231cb86dfd0ce12c1099f/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-05-Fiesta-EK-malware-payload.exe
File size:  132.5 KB ( 135692 bytes )
MD5 hash:  a379bc80f7bedbe1ba3a3c375a49150f
Detection ratio:  21 / 47
First submission:  2014-06-05 15:58:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/96204263f119d1ab54094104f63bbabe075cae8983f37b59c355dd002652b906/analysis/
Malwr link:  https://malwr.com/analysis/YjY5ZjRmZmE5ODFlNGFmOTg5MGEzMzg4YjczZmRlOTM/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats or ETPRO rulesets:

Sourcefire VRT ruleset:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.