2014-08-26 - FIESTA EK FROM 64.202.116.154 - WKLOCKES.IN.UA

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC (FROM THE SANDBOX ANALYSIS):

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-26-Fiesta-EK-flash-exploit.swf
File size:  9.9 KB ( 10129 bytes )
MD5 hash:  094590df1b3069fdded1f54578711f92
Detection ratio:  5 / 54
First submission:  2014-08-22 12:59:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f9c4824f94199d22836ff2efa40013c771532e1d9db797dc4dac71d32b8d2ccc/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-26-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5121 bytes )
MD5 hash:  1a7297d283505c4f7fd536d8801034e8
Detection ratio:  9 / 47
First submission:  2014-08-22 11:40:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1b10c2a30b45ad4c72d905a0e06ab4d1c50832734ecda199f276a4904e9cda09/analysis/

 

PDF EXPLOIT:

File name:  2014-08-26-Fiesta-EK-pdf-exploit.pdf
File size:  6.9 KB ( 7034 bytes )
MD5 hash:  87163b2d2eedba33168a055c57ae0995
Detection ratio:  5 / 55
First submission:  2014-08-26 13:54:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bc3a7cde1a3ada00075a783bb99d316d81bbb8b064b216a964ee6f534653e290/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-26-Fiesta-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22310 bytes )
MD5 hash:  e68b1d99c0874d163a13aad634219fa0
Detection ratio:  5 / 53
First submission:  2014-08-22 17:04:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d82f544a10a932c1ab947bd481836d770a6704edc5fc5b1130255ed57a3a9d19/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-26-Fiesta-EK-malware-payload.exe
File size:  345.2 KB ( 353487 bytes )
MD5 hash:  ab755021eff3c0b73b3bd2b8ee98aaaa
Detection ratio:  19 / 53
First submission:  2014-08-26 13:55:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/75e02c1dfd52dc2ee10224b6bc701acf945b16afaa30620185abac9ff91dc82d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SNORT EVENTS SEEN FROM PCAP OF MALWARE PAYLOAD SANDBOX ANALYSIS

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect:

 

Post-infection traffic (from sandbox analysis) - example of UDP traffic to port 19077:

 

Post-infection traffic (from sandbox analysis) - example of UDP traffic to port 48754:

 

Post-infection traffic (from sandbox analysis) - example of TCP traffic to port 48754:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.