2014-07-20 - FIESTA EK FROM 62.212.73.198 - WGXJVD.MYFTP.BIZ

ASSOCIATED FILES:

 

CHAIN OF EVENTS

FIESTA EK:

 

POST INFECTION TRAFFIC ON THE VM:

 

SANDBOX ANALYSIS TRAFFIC FROM MALWR.COM ON THE MALWARE PAYLOAD:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-20-Fiesta-EK-flash-exploit.swf
File size:  9.9 KB ( 10150 bytes )
MD5 hash:  cfb54a37495bb73b8bf7022d5700d0bf
Detection ratio:  0 / 53
First submission:  2014-07-20 02:40:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a77793947db764072f734b2e2168f45e14adffb99b72c9d2c92f9822d7f34159/analysis/

 

JAVA EXPLOIT:

File name:  2014-07-20-Fiesta-EK-java-exploit.jar
File size:  4.8 KB ( 4914 bytes )
MD5 hash:  1cd0537fbde21b9a53559f4efd4274f1
Detection ratio:  3 / 52
First submission:  2014-07-17 14:46:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8911369a40910c004261a63532d6e2dfed91c8a8772124039ee88217f818d18c/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-20-Fiesta-EK-silverlight-exploit.xap
File size:  11.5 KB ( 11777 bytes )
MD5 hash:  648cc2a876d6028194332af0ac9fcdf6
Detection ratio:  3 / 53
First submission:  2014-07-17 18:43:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7f0188ee01229741f8703f83b06464a8b97cfd73c047cd21ed090efe617c3f44/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-20-Fiesta-EK-malware-payload.exe
File size:  100.0 KB ( 102408 bytes )
MD5 hash:  464c76e11266b8259ae3ac2b4dc8ae7b
Detection ratio:  1 / 53
First submission:  2014-07-20 02:05:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c592ffcfe519c5346fc97848c18851cce0b8451f6f48971491c4451416da2bc/analysis/
Malwr link:  https://malwr.com/analysis/MDNmODMyYTRhODlkNGRhZGE0ZTQ2NDA4NmVjOWIxMDA/

 

FOLLOW-UP MALWARE FROM MALWR.COM PCAP:

File name:  exe.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  885609e439b2d6dba029a572f36f66ea
Detection ratio:  12 / 53
First submission:  2014-07-19 21:41:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4eac236d1d0fb9351800f61a0f8713576f393adf6b0b7e876d1cdc9bc534edf0/analysis/
Malwr link:  https://malwr.com/analysis/MTNkMmJmZGJmODg3NDk5NGIzMmU5MTMxZGQ1YWYwMmI/
NOTE:  This is Rerdom, normally saved to the infected computer as UpdateFlashPlayer_[something].exe in the user's AppData\Local\Temp directory.

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO and ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SNORT EVENTS AFTER READING PCAP FROM SANDBOX ANALYSIS

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.