2014-07-22 - FIESTA EK FROM 62.212.73.198 - EYMJJYEBO.MYFTP.ORG

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

The Flash, Java, and Silverlight exploits are the same as previous Fiesta EK traffic from my 2014-07-20 blog entry ( link ).

 

MALWARE PAYLOAD

File name:  2014-07-22-Fiesta-EK-malware-payload.exe
File size:  88.0 KB ( 90120 bytes )
MD5 hash:  829dd823d8e1dee4c254571941777486
Detection ratio:  5 / 53
First submission:  2014-07-22 01:57:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/27069a52f4c144550cff83c81e14f5497ff3c016cf536e63b406ae7589bae755/analysis/
Malwr link:  https://malwr.com/analysis/OTlkODc5MTY0OTgwNGNkYjg3ODI2Y2FmNTBkYTA1MzE/

 

FOLLOW-UP MALWARE (RERDOM):

File name:  UpdateFlashPlayer_8c8e05ce.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  a6530c999d7178d0f99da6aa4574f9f6
Detection ratio:  8 / 53
First submission:  2014-07-21 18:53:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b847d3fe7a6f26f49c3420d136ef6e2f004542f1b6df288e865e68c947b2096e/analysis/
Malwr link:  https://malwr.com/analysis/YjliOTg1OTc0YmRiNGM2MDg1NmRjMzVhYWYxNDMwYTE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO and ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.