2014-07-27 - FIESTA EK FROM 64.202.116.156 - ABYABYAB.IN.UA

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-27-Fiesta-EK-flash-exploit.swf
File size:  9.7 KB ( 9982 bytes )
MD5 hash:  f70217469913300c570c2933a42951ec
Detection ratio:  1 / 53
First submission:  2014-07-27 21:50:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ba0aa37707b3c9bf463cd263180d9b6c440365cd56f3cef6f66911ab81e1b1c5/analysis/

 

JAVA EXPLOIT:

File name:  2014-07-27-Fiesta-EK-java-exploit.jar
File size:  4.8 KB ( 4965 bytes )
MD5 hash:  71caf6f257bc901fc3976801950989d3
Detection ratio:  8 / 52
First submission:  2014-07-26 00:17:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eb093ac19b27ff7ced34cf8309f62ad6f5afe413f01e0aeea8c7c8849dd9f653/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-27-Fiesta-EK-silverlight-exploit.xap
File size:  11.6 KB ( 11848 bytes )
MD5 hash:  97cd13aa662853c2f43e44118f20e1f4
Detection ratio:  2 / 53
First submission:  2014-07-28 03:04:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f882a8e7c0e0ac2096e9c855b602f5b3a167b9b42a9483c9c7f870dcfbaaa3d3/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-27-Fiesta-EK-malware-payload.exe
File size:  104.0 KB ( 106496 bytes )
MD5 hash:  6768ee18aba2af896b93acf3fb23a817
Detection ratio:  7 / 53
First submission:  2014-07-28 03:04:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d4e85a80189357372aa316728fa867f113c068401501ed3df4ed83cf91d6e2e/analysis/

 

FOLLOW-UP MALWARE (RERDOM):

File name:  2014-07-27-Fiesta-EK-follow-up-malware.exe
File size:  168.0 KB ( 172032 bytes )
MD5 hash:  5332f3f54e6543590dd2e1016f3c2cd6
Detection ratio:  9 / 53
First submission:  2014-07-27 22:10:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/870629ea1c49a00165c5e2610d598e35ce5c0e859f13a303cdf389f15d6db34a/analysis/

NOTE: The same rerdom malware was sent 4 times and stored to the user's AppData\Local\Temp directory as:

  • UpdateFlashPlayer_1d075f19.exe
  • UpdateFlashPlayer_79f10e0e.exe
  • UpdateFlashPlayer_b1fcda82.exe
  • UpdateFlashPlayer_dbe35409.exe

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

p>Click here to return to the main page.