2014-10-26 - FIESTA EK FROM 205.234.186.109 - HEMATITETEKKI.BIZ

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT/GATE:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-26-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10197 bytes )
MD5 hash:  5bb08893d945f26ba4f245107fffdc7e
Detection ratio:  1 / 53
First submission:  2014-10-26 13:07:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2caed6e81d4b5413c9336dbec9db427cb03b8c38106991f16656731d005b4d6/analysis/

 

PDF EXPLOIT

File name:  2014-10-26-Fiesta-EK-pdf-exploit.pdf
File size:  7.7 KB ( 7864 bytes )
MD5 hash:  d910156fb3f6bf87fe410e1588b94e1d
Detection ratio:  7 / 53
First submission:  2014-10-26 13:09:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/29b28d58d9f5f25d42f53ae9c23fe5f882c9807a6682403a82c6deca256b814d/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-10-26-Fiesta-EK-silverlight-exploit.xap
File size:  9.7 KB ( 9890 bytes )
MD5 hash:  375e078a28473f4c8616b1f8f7c380e9
Detection ratio:  0 / 54
First submission:  2014-10-26 13:09:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ced722fda936fda7766a806ca50cacc8cfdd0386d42973a7ba4192c917c5eae/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-26-Fiesta-EK-malware-payload.exe
File size:  475.9 KB ( 487271 bytes )
MD5 hash:  5a468b77bc026fe2a5297ec4c9f3cd11
Detection ratio:  2 / 53
First submission:  2014-10-26 13:09:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a30c7f10379a9bff8ca8b03dbf8345b1eab44201e7818b0ec6992f087e61924e/analysis/


Above: where the payload is decrypted and stored on the local hard drive.

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect/gate pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.