2014-12-26 - FOLLOW-UP TO MY GUEST DIARY FOR THE INTERNET STORM CENTER (ISC)

NOTES:

 

ASSOCIATED FILES:

 

OVERVIEW

Samples start from 2014-12-11 and go through 2014-12-26.

Below are the domain pairs for the compromised web sites and corresponding EK gates on 94.242.216.69.  Each compromised website only uses a specific domain for its gate.
(Read:  comrpomised website - gate on 94.242.216.69).

 

GATE URL PATTERN

Saw the following characteristics, based on 30 of the gate URLs:

 

Below is an image of the 30 gate URLs, minus the domain names, and with the groups separated.  Click on the image for a full view.

 

EXAMPLES OF THE GATE

Date/Time: 2014-12-11 19:01 UTC
Referer: hacknmod.com/hack/build-a-fridge-in-your-pc/
Gate: alpinias.com/?_SPMq=vahK1gfvq3&z1_Aj=fW8sL8ld&nkPgy=81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf=fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86__=He0S4m9G
&QPy3i=J4HP58S7h&dRPS8=7bi7Y

Date/Time: 2014-12-16 14:45 UTC
Referer: www.excelforum.com/excel-formulas-and-functions/834632-three-dimensional-lookup.html
Gate: magggnitia.com/?3W_wN=I40_W5_&eht=t8vP8M8L&2ad_uO=33KPa&_s3oi=8P5_7&QLfo=cHai8w&ZM7P_K=bSG7TH3p&UKb38=1s4wx2s&jSJyB=cM7c

Date/Time: 2014-12-17 18:20 UTC
Referer: www.ps3news.com/plays
Gate: magicalcepp.com/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf=1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR

Date/Time: 2014-12-16 16:16 UTC
Referer: smith-wessonforum.com/lounge/226418-ups-package-stolen-my-doorstep.html
Gate: muertiose.com/?_I4XS=idKbueq4kR1q8&0TsZ=Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty=x21dbrs8y5

Date/Time: 2014-12-16 17:33 UTC
Referer: www.techimo.com/forum/general-tech-discussion/5834-cost-starting-isp.html
Gate: martinegris.com/?m_FxE=eh0&MkFq=H8GeS&fz7=1l3&d2T6r=ae&LeH_9=k0Il2W&Z7i6=3S1&7h_=Sdlc&zmGAU=i0uf&mMwf=ehp5p&ymV7T=y7lKe&Jpk_DF=_5_2

Date/Time: 2014-12-16 19:57 UTC
Referer: www.visajourney.com/forums/topic/509231-can-my-wife-travel-aboard-with-i-551-stamp-and-nta/
Gate: treestois.com/?Zd_E=Zd_0Q9_5SZbUU32Z4m4bOchhflz2g5n1h7_b6Xgct&sIVh=M8gcrO2yw78886tz8Zf6Ycba_cRd0o1Vk1

Date/Time: 2014-12-17 17:25 UTC
Referer: www.subaruoutback.org/forums/66-problems-maintenance/58961-cabin-air-filter-replacement.html
Gate: velasvegas.com/?e2_Iq=652WNc&zup=V1Z7I2wR9m&5_zQ=k3YT7O4H3_&Dy2bH=t9nsbcbm&Gm2J_=1Kf_Ib0&gq_BF=98m6

Date/Time: 2014-12-17 23:04 UTC
Referer: www.thedieselstop.com/forums/f54/does-anyone-know-if-12-5-tires-fit-8-rim-273921/
Gate: throneonetwo.com/?rQRqX=aj2us3_9Z4&dBzt=h4uKf3l7eV&SIDj=5rd_7zcN0g&2Btxc=aief3k7&oGC=X6g62bgw9h&NUZHg=_5Q4scVc

Date/Time: 2014-12-18 13:25 UTC
Referer: www.wranglerforum.com/f274/what-is-the-best-tire-74106.html
Gate: magnitigus.com/?V7k2sF=sbLLbi2fp9p073kddzfGanaT5K1cGqd&UQG=tc8Z8G0kav2v7QY5gf3I2Z8y5_V0v3dJ0P

Date/Time: 2014-12-19 21:50 UTC
Referer: www.dogforums.com/general-dog-forum/23668-akc-vs-ukc.html
Gate: astroysch.com/?LDZhT=Kegl8uezbqbx6n&_Nk98=Pa59bTd3&_Jp3B=k9hKcTeG_eS30&mwpoA=k3OmaPs700bK&E03=6800L6Kf&_S_Z2l=z1Hge2_s2R0M0M

Date/Time: 2014-12-22 13:55 UTC
Referer: www.tractorbynet.com/forums/rural-living/137359-building-gun-range-suggestions.html
Gate: enotikkiki.com/?tBbJ=286uU9r&tikG=zaoY7Q_0KT8&F0BREM=_4S3n0w9&a2NE=9_d2Kz6&ptmh=f87qma&aOc=2UQ5L1U1g&WEfu6e=kcn_61M1s&rqR=R2s_9S9dG&Mvn=7b

Date/Time: 2014-12-22 14:30 UTC
Referer: www.expatforum.com/expats/britain-expat-forum-expats-living-uk/319377-current-settlement-visa-processing-times-us-uk.html
Gate: margartata.com/?Cid=nak4G9z&UkE3K=3i6iq9&dUjM6_=Xe0se&J_X_g=R4taa&Jr4YHO=q9HQ34P&x1_=3gaZ4H&DVhN=v4v32&6t_=bu_1OX3O&kFP=7y_5rv7

Date/Time: 2014-12-22 21:53 UTC
Referer: digital-photography-school.com/forum/lighting/108218-lux-meter-vs-light-meter.html
Gate: kattyjerem.com/?jtDO_=6pcoex6X_9I1TK9qJckr1Go9t3UL0sdQ_5L&CsM=W3WO4NcvQ4M2tifG8ll9GXdxcgG0Q8Iz8Zn7M

Date/Time: 2014-12-23 06:22 UTC
Referer: www.slkworld.com/slk-r171-general-discussion/35011-hydraulic-cylinder-leak-vario-roof-lock-front.html
Gate: avtrokosmo.com/?eg4yxQ=49eU6k7bIc&PB5=ei8YapbIdQubUz3&qMUy=w8H4iaz2Q1sePdZ&V4Zg=1hcfLh96u07x

Date/Time: 2014-12-23 15:29 UTC
Referer: www.usacarry.com/forums/handgun-maintenance-cleaning-gunsmithing/23426-glock-polymer-break-free-powder-blast.html
Gate: hillarysday.com/?m9SO_=y2Nbh6pd_0j9Mw8&4xF=6h1WubuKajeV4Ke&bW6dQc=w6UcT2aK1f2T&mj7=b_0u9j7Za_aV0&vUhf=ma

Date/Time: 2014-12-24 15:52 UTC
Referer: www.mini2.com/forum/first-generation-mini-cooper-s/10905-performance-vs-all-season-run-flats-17-a.html
Gate: davonblog.com/?PI0=87&acP=Ua8&Foe_m=ZfHq5z&lQXo=2l0&rdy=5Utey&Gt7x8=faS&Ze9_=9_4&rxR=3_3&_PVJ=2J

Date/Time: 2014-12-25 00:51 UTC
Referer: forum.pafoa.org/rifles-42/265256-anyone-try-psas-ar-10-lowers-uppers.html
Gate: vemealltime.com/?BjNP6R=X4tu6&flO_=f5v&_5VStW=7w2i&7apn=ObUa&gym1=bse&64_=8_e&MaF_Z=KdjM4l&MgloI=d

Date/Time: 2014-12-25 01:00 UTC
Referer: www.longrangehunting.com/forums/f111/palmetto-state-armory-pa-10-a-145108/
Gate: hiutneyska.com/?BmvXU=95ldMcN4o&zR__=7jfW2ieoaK&XGI=0Q32wobjk6&eKN2=3o3v6JcLL3&3phU=eW2N_4u2Ri0&6403im=SeYfwf5U9X&iAJ=0UM5wcp1p

Date/Time: 2014-12-25 12:50 UTC
Referer: www.diychatroom.com/f17/i-should-able-figure-out-dryer-vent-30066/
Gate: raiteery.com/?58XtQ=I1UubsZffR4Gi46Y&n9a7C=Z37IU5TdMq0Hca&ifqU=d

Date/Time: 2014-12-26 02:01 UTC
Referer: rugerforum.net/reloading/72581-454-casull-45-long-colt.html
Gate: tracertme.com/?TXY=8ol5p&Opy=d3&A05=0M3&0CDW=Id2&v_3U=1Wrfy&a3E=n8fn&Jbq=94&_mwpNb=3Gx3i&TCvj6x=L2m9

Date/Time: 2014-12-26 20:51 UTC
Referer: www.christianforums.com/
Gate: lotathome.com/?Avt=9sbP&73g=02&Xn_p=Y5eH&qVSMwh=4Ob&37FN=_3Nam&tLYj04=s1T6&9zEoyd=Wck6t&1_P27=d8&NnHk_R=f9V&0Df=4n

Date/Time: 2014-12-26 21:01 UTC
Referer: www.dbstalk.com/page/index.html
Gate: looiskins.com/?g_FR=8j9Z7KZ1&tWugEH=dR5w42K&_XEWte=3kcJUa_s2&2lXksc=zcgZ1ZeTa&vjun0F=N4PcMc3&9QKM=5h8q0bX&NMC=Mb_37d&HzsKM=37NfGe

Date/Time: 2014-12-26 21:07 UTC
Referer: forum.duelingnetwork.com/
Gate: shellshs.com/?Htgi2=m91hPbJ&qFL=9I1PtfY&oIO=6o5l6_&KBvY=_ct7h8&vqf=v7jg12l&wvym=d7_I0&pkZ=o5PkdV3&sHQd42=4U9sw5z&s269Yn=88N5&KSgtr=4

Date/Time: 2014-12-26 21:28 UTC
Referer: forum.freeadvice.com/
Gate: evangglenio.com/?VInD_p=Z9v3_65qSdw0I0JaUufV_28G31&rzE=dOj7ajeH5QO0v1aT0VS0__cJJbNaj&0KX3OD=Z8

Date/Time: 2014-12-26 22:02 UTC
Referer: forums.ilounge.com/
Gate: hillaruwks.com/?tR_c=fb&D8qGF=56&7iV4=S9_1S&J73=etd&dLqv=o57&YHyin=x7vx0&SzZ_qv=7nK4n&AYmLR=dU7T&j2r=bufv&aheYZ_=cd&Fg5_9=c

Date/Time: 2014-12-26 22:09 UTC
Referer: www.harley-davidsonforums.com/
Gate: mandarinski.com/?tf4X=Q63o07&Ll3=08h2OOa&iVeR5N=aLh2OMeL2&HlLk=16nlbch&9zFk5=Obr5zT2ghaV&x_dH=reG0rd5&78l1_J=bqZ8L88V&iep=ei1v3Mg7l&4W1Ay2=6_d

Date/Time: 2014-12-26 22:13 UTC
Referer: www.scienceforums.net/
Gate: starnikos.com/?MnZES_=eKq2zaHaVWbl8Z&9UCvt=3V3g100fj&6JkQc=5m1zLeSzco6p1&_fM=mfp

Date/Time: 2014-12-26 22:24 UTC
Referer: www.woodworkingtalk.com/
Gate: smeeynovki.com/?y0_ot=wezcww6waL1pv7Q9j&kehUw=0_3h_eMp6dg57R&nD0A=5qmaGbrIcL1tc4&vw2T=t3tedP2WvcYMaznaJ&_Gs1Cl=q9_I38qT2Re3LUf&noVc_m=4md_3Mte

Date/Time: 2014-12-26 22:31 UTC
Referer: www.talkofthevillages.com/forums/index.php
Gate: bokaltoalll.com/?aNDz=ncw6crzeoGeH10PwfW9&3Vx5t0=o25T1T39ak7Xayew&1IN=a_

Date/Time: 2014-12-26 22:36 UTC
Referer: www.marlinowners.com/forum/
Gate: levelskons.com/?cdIJ=5ZePbeh8s7&beo_9=3k9Mdy0_4msfg&YEL=cN5nc_m1q7Veq&dtJf7=J3_fW

Date/Time: 2014-12-26 22:40 UTC
Referer: www.gunforums.net/forums/sendmessage.php
Gate: astroysch.com/?FhDnR1=N6TcZ7OJ1g8Q5Wev&OQje3_=4Qfs0x0lH3n9jn7j&mvgcKT=el

 

3 TRAFFIC EXAMPLES FROM 2014-12-26

 

MALWARE FROM 2014-12-26

FLASH EXPLOIT:

File name:  2014-12-26-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10231 bytes )
MD5 hash:  8de7ac0ab9e3b16bb45513543d72b145
Detection ratio:  3 / 56
First submission:  2014-12-25 17:28:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/73d1306b4f337c13cee889dc9c6a0dbd7e99ab7f898de28603290177a3abaea0/analysis/

 

JAVA EXPLOIT:

File name:  2014-12-26-Fiesta-EK-java-exploit.jar
File size:  5.2 KB ( 5310 bytes )
MD5 hash:  10c09539122f4fb7e24b5a56d129d6b1
Detection ratio:  2 / 56
First submission:  2014-12-27 00:01:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d62807fc2aff848fe80b653b07b6ffa571b230e83a2b6b3e5c70808abd3fa778/analysis/

 

PDF EXPLOIT:

File name:  2014-12-26-Fiesta-EK-pdf-exploit.pdf
File size:  7.7 KB ( 7934 bytes )
MD5 hash:  e7a2a56414e45c8f0e563b533da2baf1
Detection ratio:  6 / 56
First submission:  2014-12-27 00:01:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41183a978a0c783aab70478314e48eab26595cc2b2c1da0d65e39c870ea4da97/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-12-26-Fiesta-EK-silverlight-exploit.xap
File size:  10.3 KB ( 10531 bytes )
MD5 hash:  6e2f1afa2f0ceda018ce39581cf38414
Detection ratio:  3 / 56
First submission:  2014-12-27 00:02:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c009d70d1e06f5f2ec6200d431fde37efcf4c52bbdfa44397e053f62f82c39f7/analysis/

 

MALWARE PAYLOAD - FIRST INFECTION - 2014-12-26 20:51 UTC:

File name:  2014-12-26-Fiesta-EK-malware-payload-example-01.exe
File size:  508.7 KB ( 520957 bytes )
MD5 hash:  8733591ed354d6ee2782b87c4624a925
Detection ratio:  2 / 56
First submission:  2014-12-27 00:02:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/02836f758e5dc0e93dcd24850f19b481d07a7dce2b506802f53747caaf93cdc7/analysis/
Malwr link:  https://malwr.com/analysis/Y2QyYWM0NDM1N2E5NDZkMDlhYzJjZjM3MDEzY2Q5ZTc/

 

MALWARE PAYLOAD - SECOND INFECTION - 2014-12-26 21:08 UTC:

File name:  2014-12-26-Fiesta-EK-malware-payload-example-02.exe
File size:  136.1 KB ( 139332 bytes )
MD5 hash:  ccd74e165a02f83099685d80afd4f24b
Detection ratio:  4 / 56
First submission:  2014-12-27 00:02:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/03014d06c8b28ff77392f8182215df0ad6c0b3ff1dd86b98d8bea003c04817c7/analysis/
Malwr link:  https://malwr.com/analysis/MjdjNGJlMWY4MWI3NGEwYjkwZWJmMWVlZDlhN2Q4OTE/

 

MALWARE PAYLOAD - THIRD INFECTION - 2014-12-26 21:28 UTC:

File name:  2014-12-26-Fiesta-EK-malware-payload-example-03.exe
File size:  302.0 KB ( 309248 bytes )
MD5 hash:  658607e40ab96f93ef4e483b6a4b3267
Detection ratio:  5 / 56
First submission:  2014-12-27 00:02:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/01a2a51ab4c81d8fb2e9f38fca5e18304ff5b087a22d237496ae14fdea820bbc/analysis/
Malwr link:  https://malwr.com/analysis/NWY0YzBiMTk5ZWY0NDBmZGJlM2JjMDE5MzllYzM4NmI/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.