2014-08-14 - FIESTA EK FROM 217.79.191.87 - POKRDUOF.SERVEPICS.COM

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC (SANDBOX ANALYSIS) FOR MALWARE PAYLOAD 1 OF 2:

SANDBOX TRAFFIC ABOVE TRIGGERED THE FOLLOWING EVENTS:

 

POST-INFECTION TRAFFIC (SANDBOX ANALYSIS) FOR MALWARE PAYLOAD 2 OF 2:

SANDBOX TRAFFIC ABOVE TRIGGERED THE FOLLOWING EVENTS:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-14-Fiesta-EK-flash-exploit.swf
File size:  9.9 KB ( 10178 bytes )
MD5 hash:  5efb25306eabb0b290b4e3bb5026155d
Detection ratio:  1 / 54
First submission:  2014-08-13 02:13:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/201ab2b6b0a52dacbee96691b170e3ccdb108074fd256c89fa97a38fd3ca77df/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-14-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5140 bytes )
MD5 hash:  503cb3a014a938e358afef315828aa98
Detection ratio:  4 / 53
First submission:  2014-08-12 17:09:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/591b7e69187db9235390d713cc309032867649ab2f41bc92f58a877c33a22e0c/analysis/

 

PDF EXPLOIT:

File name:  2014-08-14-Fiesta-EK-PDF-exploit.pdf
File size:  7.4 KB ( 7533 bytes )
MD5 hash:  74af75c89a2715f824b8b568a351337c
Detection ratio:  5 / 54
First submission:  2014-08-14 23:22:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bf9c901e4a6f5c65784a932dabe775d9d39f9b5020fab3a640640140f74ee7ef/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-14-Fiesta-EK-silverlight-exploit.xap
File size:  10.4 KB ( 10617 bytes )
MD5 hash:  fca1cb1eec5dab134b71e55452dcb4de
Detection ratio:  4 / 54
First submission:  2014-08-13 02:13:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1b843d9ee49ae6155163f4a92eaef2c3c07a2ab7134fb96e4cef1736e43d5af6/analysis/

 

MALWARE PAYLOAD 1 OF 2:

File name:  2014-08-14-Fiesta-EK-malware-payload-1-of-2.exe
File size:  347.5 KB ( 355845 bytes )
MD5 hash:  f89f22d354481216548662557d32a086
Detection ratio:  7 / 54
First submission:  2014-08-14 23:32:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cba772d4cc496c3ebbab59663c1da45eee98e897e1ebb04248827b4323cb59cf/analysis/

 

MALWARE PAYLOAD 2 OF 2:

File name:  2014-08-14-Fiesta-EK-malware-payload-2-of-2.exe
File size:  188.0 KB ( 192512 bytes )
MD5 hash:  b2921404e6576888a2b87f214943aab2
Detection ratio:  33 / 51
First submission:  2014-08-12 09:09:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ed98a6d32d0a94195adf4cc3fdb3d64d43172e524688f9d9144895354bb7fd9c/analysis/

 

SNORT EVENTS FOR THE INITIAL INFECTION

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

All other exploits used by Fiesta EK send the 2 malware payloads combined in a single encrypted stream.

 

The Java exploit sends the malware payloads separately.  If you add the two, you'll find it nearly matches the size show in the previous image.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.