2014-08-22 - FIESTA EK FROM 64.202.116.154 - QOPQOP.IN.UA

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-22-Fiesta-EK-flash-exploit.swf
File size:  9.9 KB ( 10129 bytes )
MD5 hash:  094590df1b3069fdded1f54578711f92
Detection ratio:  0 / 55
First submission:  2014-08-22 12:59:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f9c4824f94199d22836ff2efa40013c771532e1d9db797dc4dac71d32b8d2ccc/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-22-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5121 bytes )
MD5 hash:  1a7297d283505c4f7fd536d8801034e8
Detection ratio:  6 / 54
First submission:  2014-08-22 11:40:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1b10c2a30b45ad4c72d905a0e06ab4d1c50832734ecda199f276a4904e9cda09/analysis/

 

PDF EXPLOIT:

File name:  2014-08-22-Fiesta-EK-pdf-exploit.pdf
File size:  6.9 KB ( 7032 bytes )
MD5 hash:  76e0b26a1e14dfaf1b89880f3bb8c0f4
Detection ratio:  4 / 52
First submission:  2014-08-23 15:45:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef28f595436d36f468df3b47427aa6627de4eabe543d6018833c7be65572cc17/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-22-Fiesta-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22310 bytes )
MD5 hash:  e68b1d99c0874d163a13aad634219fa0
Detection ratio:  1 / 55
First submission:  2014-08-22 17:04:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d82f544a10a932c1ab947bd481836d770a6704edc5fc5b1130255ed57a3a9d19/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-22-Fiesta-EK-malware-payload.exe
File size:  447.0 KB ( 457728 bytes )
MD5 hash:  34e0d3ab5e72377db1f5fb66952ce511
Detection ratio:  12 / 51
First submission:  2014-08-22 14:54:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/49786bb07234b142a18f5c976b45252c1c96133e0d9e29386d1a0de337e9178b/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Redirect pointing to Fiesta EK domain:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.