2015-03-02 - GUEST BLOG ENTRY BY JACK MOTT - FIESTA EK FROM 69.64.49.212 - YPYITQU.MYFTP.ORG

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NOTE: jaysocial.com had the following iframe injected:

 

FIESTA EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Snort events from the Emerging Threats open rulesets:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-03-02-Fiesta-EK-Flash-Exploit.swf
File size:  10.2 KB ( 10421 bytes )
MD5 hash:  174fe217b9288259c114b84a7bc78c0c
Detection ratio:  12 / 57
First submission:  2015-03-03 08:10:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c1ab610ecdfaf466903b1fb5d9bdb620ca6b9e0fa17c104f2fdaeb9f9c5f0cbf/analysis/

 

JAVA EXPLOIT:

File name:  2015-03-02-Fiesta-EK-java-exploit.jar
File size:  5.1 KB ( 5203 bytes )
MD5 hash:  ed7b161d5ba7f6d9a069dc8419d5a2f4
Detection ratio:  10 / 57
First submission:  2015-03-03 04:45:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d1930e9e9e49db912a045c32f69269be5ea1fb22e107186a75976cb5aa9e9ac/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-03-02-Fiesta-EK-Silverlight-Exploit.xap
File size:  10.6 KB ( 10818 bytes )
MD5 hash:  86655b5b59af502937b6ffd5ee4a2f32
Detection ratio:  8 / 57
First submission:  2015-03-03 08:14:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/019e2c53fb7651b51dee5e4ba5243d3d78b29ac8be856a773ac387c241e4f0af/analysis/

 

MALWARE PAYLOAD:

File name:  2015-03-02-Fiesta-EK-malware-payload.exe
File size:  161.5 KB ( 165376 bytes )
MD5 hash:  1351644f649aacbbf7812aef829c8197
Detection ratio:  24 / 57
First submission:  2015-03-11 18:31:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d2ae5643aba8cab4f44e5c9f98efe9620b0c4fa4f730db33362fef0731c0d02e/analysis/
Malwr link:  https://malwr.com/analysis/YzY4N2E1MjYxNjY0NDVkZmIxYmIwOGQxZDUxNjI2OTk/

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.