2014-11-01 - FIESTA EK FROM 205.234.186.109 - CONOCARPUSGEORGSIMONOHM.US

ASOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-11-01-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 10056 bytes )
MD5 hash:  c96b86baf3400965a6925d6717b977cd
Detection ratio:  3 / 52
First submission:  2014-10-31 15:15:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/099b7ea19c93dad7b0e46f02e0e49315e6b3de84db361b9bb85025353eabeb3e/analysis/

 

JAVA EXPLOIT:

File name:  2014-11-01-Fiesta-EK-java-exploit.jar
File size:  7.9 KB ( 8051 bytes )
MD5 hash:  a61da3a7aa3c2e269c1328dc06befce0
Detection ratio:  2 / 53
First submission:  2014-11-01 23:00:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/57c3d8ecc0c61687f8137f3ec3710368e7b53cb507bd1332ded2566fa3ae06a6/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-11-01-Fiesta-EK-silverlight-exploit.xap
File size:  9.6 KB ( 9786 bytes )
MD5 hash:  114f3ef6bae9c562d470f77903d16592
Detection ratio:  1 / 53
First submission:  2014-11-01 23:00:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f6823dfa3e421f6f0253eb3b3e3a3f6bd941cb38bfdfef2a940d51f824d0194e/analysis/

 

MALWARE PAYLOAD:

File name:  2014-11-01-Fiesta-EK-malware-payload.exe
File size:  209.4 KB ( 214400 bytes )
MD5 hash:  3df29eb948e72ef7316e20287fae5b6b
Detection ratio:  6 / 54
First submission:  2014-11-01 23:01:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4cac460a0ad8f382c1e1905e635a41c685a65453adca41f658a0b6ee0112b197/analysis/
Malwr link:  https://malwr.com/analysis/YjM5NDMyMTg4ODIxNDcwN2EwZGRmOWM2YjJhYWVmOGY/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect/gate with script that points to the Fiesta EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.