2014-09-30 - FIESTA EK FROM 64.202.116.153 - AFFINEAIRFORCE.US

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND FIESTA REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-30-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10251 bytes )
MD5 hash:  5bf447627975b9ac6d0c68aa7f0b7d9a
Detection ratio:  2 / 49
First submission:  2014-09-30 13:55:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dcccecbfa80b7812e85ac17b247c912c45acd464154f3ef4aee29a6c164677b4/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-30-Fiesta-EK-java-exploit.jar
File size:  5.1 KB ( 5208 bytes )
MD5 hash:  f81db671289bb9bbaeeeae519ab6ca07
Detection ratio:  3 / 53
First submission:  2014-09-30 08:07:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3a2104460098294342d76fc741447977f3aa1e8a8f715787e8f8c9fd2a1b1b81/analysis/

 

PDF EXPLOIT:

File name:  2014-09-30-Fiesta-EK-pdf-exploit.pdf
File size:  7.4 KB ( 7610 bytes )
MD5 hash:  da27b50d3ca83816dc0c3f10801eb31c
Detection ratio:  8 / 55
First submission:  2014-09-30 13:55:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8f359f2aa2d76537f6c000fe14ccaee7530668674f7b3a3aff570dbad0b1ebd1/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-30-Fiesta-EK-silverlight-exploit.xap
File size:  18.2 KB ( 18586 bytes )
MD5 hash:  6c6b87d853492e3f3ae8f554149ed423
Detection ratio:  2 / 54
First submission:  2014-09-30 13:56:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8fbb447e22d5c24cce5f94bf136e2ca5059cd19ccc6febed64773d3083125e6f/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-30-Fiesta-EK-malware-payload.exe
File size:  395.9 KB ( 405360 bytes )
MD5 hash:  b420af05c69db544141cb096ddf0e814
Detection ratio:  3 / 54
First submission:  2014-09-30 13:56:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1cd11ebb1e2f9fadd53c64df872857a4e7be1d872f8d631c3fc52fc0227d13fe/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect (gate) pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.