2014-08-19 - FIESTA EK FROM 64.202.116.154 - QUATRO.IN.UA

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  https://www.virustotal.com/en/file/14157ae7e01186cae2134239cb89c67992f46e1930e7eff4d9207aa8b8bc13a9/analysis/
File size:  9.9 KB ( 10149 bytes )
MD5 hash:  27018fcf2bd5913986b85fdb6984c864
Detection ratio:  0 / 41
First submission:  2014-08-18 23:29:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/14157ae7e01186cae2134239cb89c67992f46e1930e7eff4d9207aa8b8bc13a9/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-19-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5117 bytes )
MD5 hash:  2c0045b6c6e2db6674ba90459f66342a
Detection ratio:  6 / 53
First submission:  2014-08-18 11:11:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4b2709550a6ecbe21a1cec1c86f5117110b41f2d5d5f06280a75f3ab65e64f6d/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-19-Fiesta-EK-silverlight-exploit.xap
File size:  10.5 KB ( 10702 bytes )
MD5 hash:  baace6aa770d0bbb85ff4440033d07ef
Detection ratio:  3 / 53
First submission:  2014-08-20 01:02:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2f06d12ff56bf7c7719e0288e95d81d37c6d2fd4de97ccb5d873c0a717c78aba/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-19-Fiesta-EK-malware-payload.exe
File size:  478.0 KB ( 489472 bytes )
MD5 hash:  7e3afae2e9ecc9cdf17e48ba4bed3613
Detection ratio:  3 / 53
First submission:  2014-08-20 01:02:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a0b27ee297ee789bc2ada5185751463ae58a1bdcfcbf9560e6f7e0bb244a4fa6/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in compromised website

 

Redirect pointign to Fiesta EK

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.