2014-11-13 - FIESTA EK FROM 205.234.186.110 - BETAMEDSEARCH.IN

ASSOCIATED FILES:

 

NOTES:

 

BLOG ENTRIES ON FIESTA WITH CURRENT PATTERNS FROM THIS ACTOR:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-13-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9985 bytes )
MD5 hash:  02b2aded61ec929eb8eab6302d51e707
Detection ratio:  3 / 53
First submission:  2014-11-10 17:18:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ab0a02f5c802bd38fc04d2764492a42cfe5016c8242b58453686200fbe208e80/analysis/

 

JAVA EXPLOIT

File name:  2014-11-13-Fiesta-EK-java-exploit.jar
File size:  7.9 KB ( 8085 bytes )
MD5 hash:  4ae884b9caa02524fab8bdd248dec92f
Detection ratio:  4 / 54
First submission:  2014-11-13 15:44:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/10973e16a16ad7c195634e26bc24ca3cbdab5abf8fc7ebda04159f2b6f5cb2d7/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-11-13-Fiesta-EK-silverlight-exploit.xap
File size:  9.5 KB ( 9773 bytes )
MD5 hash:  457c896b32cbf52db3397953bc26efee
Detection ratio:  5 / 55
First submission:  2014-11-13 15:45:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/718f92a945837ea7a11278db19733d42cb38b393dc17a8167a2eeb7657261496/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-13-Fiesta-EK-malware-payload.exe
File size:  673.0 KB ( 689152 bytes )
MD5 hash:  03384d3b5731e29d9345f274efce3653
Detection ratio:  3 / 52
First submission:  2014-11-13 15:45:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8737344b728c4245c0ca89f884de1fea2e6fda328673166c2ba171ada12d612c/analysis/
Malwr link:  https://malwr.com/analysis/MmFlNmRmYWI5ZTEzNGZhNjhkZWUxMWU2NmM1YTNlMDE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil after using tcpreplay on the pcap in Security Onion (not including ET INFO or ET POLICY rules):

Signature hits from the Sourcefire VRT ruleset after reading the pcap in Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect (gate) pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.