2014-09-24 - FIESTA EK FROM 104.28.6.73 - EOXSC.KULAWYN.IN

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

FIESTA EK:

 

POST-INFECTION ZEMOT/RERDOM ACTIVITY:

 

CLICK-FRAUD TRAFFIC BEGINS:

 

PRELIMINARY MALWARE ANALYSIS

FIRST FLASH FILE:

File name:  2014-09-24-Fiesta-EK-first-flash-file.swf
File size:  2.2 KB ( 2266 bytes )
MD5 hash:  ba6c77f38ab70a68934c7deabf8894c6
Detection ratio:  1 / 55
First submission:  2014-09-25 01:19:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4656889312953701e36a2939c74c1eaf75602bdce61483a86d6036a0f7b07144/analysis/

 

FIRST SILVERLIGHT FILE:

File name:  2014-09-24-Fiesta-EK-first-silverlight-file.xap
File size:  3.7 KB ( 3757 bytes )
MD5 hash:  97bc26b87b4441489abea82bea17789e
Detection ratio:  1 / 54
First submission:  2014-09-22 10:00:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cebf08c7390408af3a69e0a0e63dd4d6c221c9a1d3707ae87ee3c4f5db223aba/analysis/


NOTE: I call this the "first" Silverlight file; however, in this traffic, no second
file was sent as a Silverlight exploit.

 

FLASH EXPLOIT:

File name:  2014-09-24-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10210 bytes )
MD5 hash:  ecf16f79e08dadaba821ea1b8e2c66fb
Detection ratio:  3 / 54
First submission:  2014-09-25 01:20:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a069f49f678f767a9dcf245e5d61600db0620300144cd0d869becf32a080f32a/analysis/

 

PDF EXPLOIT:

File name:  2014-09-24-Fiesta-EK-pdf-exploit.pdf
File size:  7.0 KB ( 7153 bytes )
MD5 hash:  cba44660c0a20c0a541349a65d95768d
Detection ratio:  5 / 55
First submission:  2014-09-25 01:16:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9fbd3fac08052d809e2c10483810d492e9d3859967bd67d998b6da060a4c87af/analysis/

 

FOLLOW-UP MALWARE (RERDOM):

File name:  UpdateFlashPlayer_46fb5ff5.exe
File size:  200.5 KB ( 205312 bytes )
MD5 hash:  1a18918bd8eadd752295be3e1bd2ea83
Detection ratio:  3 / 55
First submission:  2014-09-25 01:16:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/10cdc6f781a226f039cc6b66e2c8e21641efc5ce865b690646cc7f38056bcc69/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect (gate) pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.