2014-06-07 - FIESTA EK FROM 85.25.20.27 - RUKMNQYEGT.REDIRECTME.NET

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE:

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-07-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9999 bytes )
MD5 hash:  2014-06-07-Fiesta-EK-flash-exploit.swf
Detection ratio:  1 / 36
First submission:  2014-06-04 22:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f629890d379bc3795f8526ee9c93eb4f3fee65807b8e398e0c0273d0106c4ba2/analysis/

File name:  2014-06-07-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15.3 KB ( 15662 bytes )
MD5 hash:  3c0ef113f37e46a1b8ed10f2457d7111
Detection ratio:  2 / 51
First submission:  2014-06-05 22:09:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2ef370bfcd64ffb91ac5e1ff28d41f71504a49cbbcba178df5a95ba6619971f/analysis/

 

JAVA EXPLOIT

File name:  2014-06-07-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7446 bytes )
MD5 hash:  ed2e61b302c6ed7ccb3699cc33d23f71
Detection ratio:  1 / 50
First submission:  2014-06-07 02:09:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92d1bcb375d26a8d55e117b79ae3d41fc2a6cb4e55688c7815b0e732f099b8fc/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-07-Fiesta-EK-silverlight-exploit.xap
File size:  11.2 KB ( 11458 bytes )
MD5 hash:  12952a3839c4fbb3f315fb55ac3b77b2
Detection ratio:  3 / 51
First submission:  2014-06-05 22:09:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/514cec2e3ee686bc7d171ec424bb54b4ab88dfcb2b9231cb86dfd0ce12c1099f/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-07-Fiesta-EK-malware-payload.exe
File size:  132.0 KB ( 135176 bytes )
MD5 hash:  866feb555402f3187e335617b4f83210
Detection ratio:  4 / 50
First submission:  2014-06-07 02:00:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c8584322005284e2e7cdee083bbc6d4ac510ca413dacbd4f520abe6636ab0b49/analysis/
Malwr link:  https://malwr.com/analysis/ODVhNzY5NWM2ZDg3NDdhMmI0YjNhN2U1YTBhMzkzNzA/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

SCREENSHOT FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.