2014-08-09 - FIESTA EK FROM 64.202.116.154 - QLOKKS.IN.UA

ASSPCOATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-09-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10243 bytes )
MD5 hash:  3ed37f4595ccb2cf25f3f28dda18f8d2
Detection ratio:  10.0 KB ( 10243 bytes )
First submission:  2014-08-08 03:03:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ae25ea353e5bd4f050c5fad78b2eec6237ca909a1aaa06de2017ec7e0a2f9b72/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-09-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5122 bytes )
MD5 hash:  b7c305dbc2833062aef3ca2ce47c60b6
Detection ratio:  3 / 54
First submission:  2014-08-08 03:03:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e52d84073fabe880c952bf94178d42cc3e355716ee3af8da9f7622790fb5d6d1/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-09-Fiesta-EK-silverlight-exploit.xap
File size:  10.3 KB ( 10522 bytes )
MD5 hash:  eae9d09e581e7eb81f19fe3f7493a2a3
Detection ratio:  1 / 54
First submission:  2014-08-08 03:02:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bc0673785f7544b9b28139033b363cb1d557224804a1f975f51fb167445f4c1f/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-09-Fiesta-EK-malware-payload.exe
File size:  359.9 KB ( 368537 bytes )
MD5 hash:  d603c93c1627cb09e4db1c3cee5f9571
Detection ratio:  3 / 54
First submission:  2014-08-09 23:44:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3d891fca5e897b89355baa6f40274253dfcc3c0c4708716d551cd119d2c10d51/analysis/

 

MALWARE DROPPED BY THE PAYLOAD:

File name:  2014-08-09-dropped-by-Fiesta-EK-malware-payload.exe
File size:  129.0 KB ( 132096 bytes )
MD5 hash:  0a84af2942407e9cca0ca7bd66004afc
Detection ratio:  7 / 54
First submission:  2014-08-09 21:08:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cc8bb546411bcb5a9a96d8e5fbf6160425b594dba3add305379eb1b59175221f/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from comrpomised web site:

 

Redirect pointing to Fiesta EK:

 

POST-INFECTION TRAFFIC:

UDP traffic to different hosts... First using UDP port 19077, then UDP port 48754:

 

Here's what's sent first on UDP port 10977 (the stuff to UDP 48754 is not readable):

 

The TCP traffic (encrypted or otherwise obfuscated) is also using port 48754:

 

And what looks like click-fraud traffic happening, some of it on non-standard HTTP ports:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.