2014-09-15 - FIESTA EK FROM 64.202.116.152 - YPILLOW.IN.UA

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-15-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10268 bytes )
MD5 hash:  89826275810d15e7c7f59927d9bc8f4c
Detection ratio:  2 / 47
First submission:  2014-09-15 18:35:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5318262227f4d31bc4749811709b483d7ff4988cfd65f190d11df8f16dcb8cae/analysis/

 

JAVA EXPLOIT

File name:  2014-09-15-Fiesta-EK-java-exploit.jar
File size:  5.1 KB ( 5215 bytes )
MD5 hash:  789f6707544b94e055109b54a0050c83
Detection ratio:  3 / 48
First submission:  2014-09-15 18:35:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9a12575e781f3c7762dba5270dd4ae24da3f080210f3b49cb40835dc3892c61e/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-15-Fiesta-EK-silverlight-exploit.xap
File size:  18.9 KB ( 19336 bytes )
MD5 hash:  84432955b7260ed8e4c8f6ec1dacef8a
Detection ratio:  1 / 52
First submission:  2014-09-15 15:47:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eb2d35a6e2b30d5a43cab018ccea386e1b2c836b7a480f55c4aa5c8bacbb6415/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-15-Fiesta-EK-malware-payload.exe
File size:  507.3 KB ( 519463 bytes )
MD5 hash:  36f812a35ff03075a7eb6af2c876fcde
Detection ratio:  3 / 54
First submission:  2014-09-15 18:36:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d83e9f7545b3958f599e1030a4c7d3358b6f97389e7b1784e99912c5126f534d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect (gate) pointing to Fiesta EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.