2014-12-17- FIESTA EK FROM 92.63.88.61 - NRKUKTXVN.MYFTP.ORG

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FIESTA EK:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):

 

Sourcefire VRT ruleset from Snort 2.9.7.0 on Security Onion using tcpreplay:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-12-17-Fiesta-EK-flash-exploit.swf
File size:  9.9 KB ( 10109 bytes )
MD5 hash:  c3a23ea77c9ca9b583f37c7e9412f423
Detection ratio:  2 / 53
First submission:  2014-12-17 16:20:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7624a1547a57d6af11d20cff062e2d685a2cd098db94452f6124699e31a51345/analysis/

 

JAVA EXPLOIT

File name:  2014-12-17-Fiesta-EK-java-exploit.jar
File size:  5.2 KB ( 5346 bytes )
MD5 hash:  dba1167508c44b0c3b1907445fcc58d0
Detection ratio:  3 / 54
First submission:  2014-12-15 10:30:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/aab9b88f86796cb4417ff8a5a294f7763cec8139a7e7f51c3a332e8aa392633a/analysis/

 

PDF EXPLOIT

File name:  2014-12-17-Fiesta-EK-pdf-exploit.pdf
File size:  7.5 KB ( 7702 bytes )
MD5 hash:  795c9003ccf7f585c399eaaae5a5190b
Detection ratio:  8 / 55
First submission:  2014-12-17 16:21:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b03885c020e04fa9f267fd48bcd624b3f9e4a0fa3d89eae79461b6554adb0dbd/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-12-17-Fiesta-EK-silverlight-exploit.xap
File size:  10.4 KB ( 10612 bytes )
MD5 hash:  1ec574a5df1222e7cf30cbfe3909dccf
Detection ratio:  4 / 54
First submission:  2014-12-17 16:22:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/09e5fe7d0f3aafbdfced994716e5109e8ba8bfc7085a5aa8db019165bd0cf1c3/analysis/

 

MALWARE PAYLOAD

File name:  2014-12-17-Fiesta-EK-malware-payload.exe
File size:  160.5 KB ( 164352 bytes )
MD5 hash:  31af1a5656ce741889984e8e878c7836
Detection ratio:  5 / 52
First submission:  2014-12-17 16:20:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/34fee355fb164f72386583b0859b0aa27ebc3b29103db85b64e2c39be1eca10c/analysis/
Malwr link:  https://malwr.com/analysis/NTFhOGRmNmJlNWJhNDMxZmEwZjFkMzQxNzgyMzAxYjc/

 

SCREENSHOTS

Malicious iframe in compromised website that pointed to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.