2014-06-11 - FIESTA EK FROM 64.202.116.151 - DOTCOMOR.IN.UA

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

FIESTA EK:

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-11-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 10011 bytes )
MD5 hash:  3776a85e1d72c3b2891324074b321cc1
Detection ratio:  2 / 54
First submission:  2014-06-13 05:14:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/70e576688db8155eefff7cf42134e3f5d9fd4e427beec3067b421408454eb3c9/analysis/

 

JAVA EXPLOIT

File name:  2014-06-11-Fiesta-EK-java-exploit.jar
File size:  7.7 KB ( 7851 bytes )
MD5 hash:  bb668b724fbf749c62094a014ae01861
Detection ratio:  4 / 54
First submission:  2014-06-10 15:07:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8c87de523be610095c9f32feb4772125b4c49755fbae662bb9237f45c2f4ca14/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-11-Fiesta-EK-silverlight-exploit.xap
File size:  11.2 KB ( 11482 bytes )
MD5 hash:  88b15ddb871b858e384fb3ebb17991a9
Detection ratio:  2 / 54
First submission:  2014-06-10 10:16:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/daccb1628ac8ed91c31aa438e96e9732ffa2de7aa4de25d37a49bcb34e3b472c/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-11-Fiesta-EK-malware-payload.exe
File size:  615.5 KB ( 630272 bytes )
MD5 hash:  b74176ab760cd4752749576e879288f7
Detection ratio:  33 / 54
First submission:  2014-06-11 17:25:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b0e6179f59b6a11f545703293e501bd567429afc423b849284c3202fbee7acb1/analysis/
Malwr link:  https://malwr.com/analysis/YWE1ZjJiNmVkYmUzNDE0OWJlMmNkYWY1OWI1OTFhODI/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.