2014-08-31 - FIESTA EK FROM 64.202.116.154 - WIEZERSF.IN.UA

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC:

Click-fraud traffic begins:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-31-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10271 bytes )
MD5 hash:  9860b49773715afc1e7cfd2da123e610
Detection ratio:  2 / 55
First submission:  2014-08-31 01:27:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/860770ed7c536a71d8611073d53575748e903006e7e53db4a1df56536970c4ab/analysis/

 

PDF EXPLOIT:

File name:  2014-08-31-Fiesta-EK-pdf-exploit.pdf
File size:  6.7 KB ( 6902 bytes )
MD5 hash:  8d5c4118a0817bd8d515e961164616b9
Detection ratio:  5 / 55
First submission:  2014-08-31 02:53:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/99d09c551873078d55ac2cd0a8d651ef1b189c3182e9fa776f6d2b8ee83f0c20/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-31-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5118 bytes )
MD5 hash:  9bd190e40e05c7e2d6e715ed94d501cc
Detection ratio:  6 / 55
First submission:  2014-08-29 15:42:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/37dbbda6358e32746b4889dcee1560c64786e53da54c367a2803ec2c0c23d535/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-31-Fiesta-EK-silverlight-exploit.xap
File size:  22.1 KB ( 22583 bytes )
MD5 hash:  1471db385e5447683d0b7c4647c86fff
Detection ratio:  1 / 55
First submission:  2014-08-31 01:31:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bd3ee303f9b90761b3d5fde6f46c74baa9378f745ee0a2b83121375fea93e9e7/analysis/

 

MALWARE PAYLOAD:

Malware payload was encrypted, and I wasn't able to grab a copy from the user's AppData\Local\Temp directory before it deleted itself.  This malware payload was a trojan downloader that downloaded Rerdom.


Shown above: 110,890 bytes of encrypted payload

 

RERDOM DOWNLOAD:

File name:  2014-08-31-Fiesta-EK-rerdom-malware.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  8a351bc652decf84eabd853f4efd69bc
Detection ratio:  10 / 55
First submission:  2014-08-31 04:13:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c548028df72e63ca8624051823804ad130680e72ee0a34259a08d01ec05f223/analysis/

 

MALWARE DROPPED BY RERDOM:

File name:  2014-08-31-Fiesta-EK-malware-dropped-by-rerdom.exe
File size:  316.2 KB ( 323806 bytes )
MD5 hash:  9e5b3d07fe22379248196cce63d6f0b9
Detection ratio:  2 / 54
First submission:  2014-08-31 01:26:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c487e6437a728a0a9f43c29bdd0e20730f1a6ae890cf886d455b35709f065d4/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.