2014-09-07 - NEW PATTERNS IN FIESTA EK FROM 104.28.22.24 & 104.28.23.24 - EAUHQ.MONIS.ASIA

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FIRST FLASH FILE:

File name:  2014-09-07-Fiesta-EK-first-flash-file.swf
File size:  2.3 KB ( 2344 bytes )
MD5 hash:  2dd3d0fb956e6b351226701618b17190
Detection ratio:  1 / 54
First submission:  2014-09-01 18:33:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/064c3f66fd2bde8cff66af86d3e8fd39fa89565e65f9a7a8c15718d40a4ff8d1/analysis/

 

FIRST SILVERLIGHT FILE:

File name:  2014-09-07-Fiesta-EK-first-silverlight-file.xap
File size:  3.8 KB ( 3941 bytes )
MD5 hash:  23741132b71f2688316ba9abe5d1d048
Detection ratio:  0 / 55
First submission:  2014-08-27 17:54:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/195f6cd22f725580205773efb219a26e516077bcb9b8a768abb1335da9d78bc5/analysis/

 

FLASH EXPLOIT:

File name:  2014-09-07-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10198 bytes )
MD5 hash:  e46905a96bd4c6fa7d1f86f83e521a99
Detection ratio:  3 / 55
First submission:  2014-09-07 21:43:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0ecd720ee6afd343e139c6a0c1b7e0aa7c20d7029ee326f0a3bc8e807aac2ab2/analysis/

 

JAVA EXPLOIT

File name:  2014-09-07-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5131 bytes )
MD5 hash:  5abaa5eaa4116891d9dcdc4fd0e74162
Detection ratio:  4 / 55
First submission:  2014-09-07 21:44:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/629a8f138df1098cfb34e8589c9faf10ac5ecdde5dfaaab78d52a63ffa9b9fff/analysis/

 

PDF EXPLOIT

File name:  2014-09-07-Fiesta-EK-pdf-exploit.pdf
File size:  7.2 KB ( 7386 bytes )
MD5 hash:  cdb1ce2b7ec38f3af5e4c811aeefb1fa
Detection ratio:  4 / 54
First submission:  2014-09-07 21:44:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/591f525a2479ce88e021a094e650d5d22449bd3bafdda3bc487b1ab617e8f974/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-07-Fiesta-EK-silverlight-exploit.xap
File size:  22.0 KB ( 22578 bytes )
MD5 hash:  dedb5431812f3a776be0d7f330eb2e8c
Detection ratio:  2 / 55
First submission:  2014-09-07 21:44:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef78e1978f8c989c28f05f33a4d81bba11e128c9e4fa25cb47fe392cba987e81/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-07-Fiesta-EK-malware-payload.exe
File size:  406.9 KB ( 416696 bytes )
MD5 hash:  2dc219c2232235a19a0225a8a0e32fc1
Detection ratio:  5 / 55
First submission:  2014-09-07 21:45:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/662ab9b020a7b359b705791fb5b6dce27f912f5c9f0332b7f5450cf646022cfa/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Embedded iframe in javascript from compromised website:

 

Redirect checks to see if Silverlight is installed and points to the first Flash and Silverlight files from Fiesta EK:

 

HTTP GET request to Fiesta EK for the first Flash file:

 

HTTP GET request to Fiesta EK for the first Silverlight file:

 

Here's the last one of these new URL patterns pointing to what normally is the first HTTP GET request to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.