2014-02-11 - FIESTA EK DELIVERS CLICK FRAUD MALWARE

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-02-11-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-02-11-Fiesta-EK-malware.zip
• ZIP of the post-infection PCAP:  2014-02-11-post-infection-traffic.pcap.zip

NOTES:

• The EXE payload didn't do anything on the infected VM, so I copied the EXE over to a physical host and excuted it from the physical host's AppData/Local/Temp directory.
• The post-infection click fraud traffic hit a page with the Sweet Orange EK that delivered another malware payload.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 50.56.237.247 - forum.freeadvice.com - Comrpomised website
• 190.123.47.198 - newblogsherehally.com - Redirect domain
• 64.202.116.124 - ucrysy.in.ua - Fiesta EK domain
• 82.146.52.233 - pop.qihuvy.eu - Post-infection callback domain that sent Sweet Orange EK

INFECTION CHAIN OF EVENTS

• 02:19:36 UTC - 192.168.204.161:49957 - 50.56.237.247:80 - forum.freeadvice.com - GET /landlord-tenant-issues-42/automatic-renewal-386017.html
• 02:19:36 UTC - 192.168.204.161:49967 - 190.123.47.198:80 - newblogsherehally.com - GET /sdqgfwev.js?27d69957fc93b5b2
• 02:19:37 UTC - 192.168.204.161:49974 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?3
• 02:19:41 UTC - 192.168.204.161:49982 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?0386bf195f12807c5956540d515d000d03060f0d5604010205015e0f5a5e530b
• 02:19:41 UTC - 192.168.204.161:49984 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?664175148e6103c3455a420a040e00000503030a0357010f030452080f0d530
  6;5110411
• 02:19:51 UTC - 192.168.204.161:49989 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?43d43b85d096ee70514b010f005909010706530f0700080e0101020d0b5a5a0
  7;1;6
• 02:19:51 UTC - 192.168.204.161:49990 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?43d43b85d096ee70514b010f005909010706530f0700080e0101020d0b5a5a0
  7;1;6;1
• 02:19:53 UTC - 192.168.204.161:49993 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?2673339e7150534f58585b0800080851010300080751095e0704510a0b0b5b5
  7
• 02:19:56 UTC - 192.168.204.161:50000 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?3afa83c7d0a90f225c0e045a0b0852030054515a0c51530c06530058000b0005
• 02:19:57 UTC - 192.168.204.161:50001 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?6d31151460abbc20551c560a020e00000551040a0557010f03565508090d530
  6;1;4
• 02:19:58 UTC - 192.168.204.161:50002 - 64.202.116.124:80 - ucrysy.in.ua - GET /wu2shc5/?6d31151460abbc20551c560a020e00000551040a0557010f03565508090d530
  6;1;4;1

POST-INFECTION CALLBACK TRAFFIC

• 04:06:00 UTC - 192.168.1.107:49256 - 178.250.245.198:80 - 178.250.245.198 - GET /hz%2fOKbCfTHSkcIXpE3m8Q9iPfqMFtyPq%2fS5CtnRHHHm7wSWh23N%2fhNw9o
  SI9%2fcREu%2bUPvDZBpm9VsPh5DpBsl4AUbYv8HMZx6rjTj1ilZvCS0ZKF5R3irU%2ft1EuU3U5uopg8OjQiLUAsEr2W4m1IL%2fK2tITguL3r4FdgzfxUGXxLvT%2bbVniutmD
  k0yeHjBP73r1Ct24CB9cPaUiri9EfFVavaVSEvT1dFqk7d6sAnETObTdYf%2bHjfSfWe4CtRWqG%2byWzZ4AiwSjnRa6QxctE3BbnLr0sCIk%2fbCzksqZxXzmih9W391NlmetSP
  T7YdxcB1Ypp6osgT1ehg0lJXQrvR6BP2VLG9QPQHWqKbmomo2RQKVICrb2Ko812%2fPKX7Avxv9bqZRXOfHypPk%2fJJVSMQgKtdQ7GT1Ftkgn4ccbrD0aRH7DnpQ1582
  dXry0tGYYX07pBAljOMkBJm7fkjx3QDsi9VAoPmBI
• 04:10:57 UTC - 192.168.1.107:49258 - 148.251.21.48:80 - 148.251.21.48 - GET /m/IbQCVVVjhDHWwhraPeNr5ntDAv2DQz4+kQRvY5VsQUmKnjtvWcVPu/zzXtG8xQywv0
  0E3Px9M+Yl6/VPp63TyRPmbvenpdgij2qrs
• 04:11:05 UTC - 192.168.1.107:49259 - 148.251.21.48:80 - 148.251.21.48 - GET /18XBob5pX1ST7THkYpEnNWOtWpBCK3LSTu0GzhkPsa8M9V2tHVkaAAAAxxEAAA==
• 04:11:05 UTC - 192.168.1.107:49260 - 46.229.172.166:80 - 46.229.172.166 - GET /?link=c5c08b7a-6809-4513-4316-1928a9bcd4c2&pid=17
• 04:11:06 UTC - 192.168.1.107:49261 - 173.214.255.205:80 - 173.214.255.205 - GET /feed/go.php?id=f9c66857-ac8a-4f9d-ad91-c711aa67bd40&sid=ac2823aabe8584bf8839ff85729c0a85&n=n-14&tid=6498344469847005799&s=3921
• 04:11:06 UTC - 192.168.1.107:49262 - 216.172.63.78:80 - scriptforclick.com - GET /feed/go?id=c20d9eb0-0039-400f-912c-01955d3f8886&b=0.0036&c=fbcbf60ae3e8b606ad76e17d451d2c36&type=G&p=1
• 04:11:06 UTC - 192.168.1.107:49263 - 88.150.196.5:80 - browseadv.com - GET /home.aspx&5-3921/how+to+uninstall+internet+explorer
• 04:11:06 UTC - 192.168.1.107:49263 - 88.150.196.5:80 - browseadv.com - GET /in.cgi?15&onli=odinz&ur=1&HTTP_REFERER=linkexchangemarketing.com-5-3921&parameter=how+to+uninstall+internet+explorer&CS=1
• 04:11:07 UTC - 192.168.1.107:49265 - 208.80.154.224:80 - en.wikipedia.org - GET /wiki/how%20to%20uninstall%20internet%20explorer
• 04:11:07 UTC - 192.168.1.107:49265 - 208.80.154.224:80 - en.wikipedia.org - GET /wiki/How_to_uninstall_internet_explorer
• 04:11:07 UTC - 192.168.1.107:49264 - 82.146.52.233:80 - pop.qihuvy.eu - GET /team/itpm/bitmaps/java.php?pubsphoto=43
• 04:11:07 UTC - 192.168.1.107:49266 - 208.80.154.234:80 - bits.wikimedia.org - GET /en.wikipedia.org/load.php?debug=false&lang=en
  &modules=ext.gadget.DRN-wizard%2CReferenceTooltips%2Ccharinsert%2Cteahouse%7Cext.visualEditor.viewPageTarget.noscript%7C
  ext.wikihiero%7Cmediawiki.legacy.commonPrint%2Cshared%7Cskins.common.interface%7Cskins.vector.styles&only=styles&skin=vector&*
• 04:11 UTC - several other GET requests to various wikimedia.org sub-domains
• 04:11:09 UTC - 192.168.1.107:49271 - 208.80.154.224:80 - login.wikimedia.org - GET /wiki/Special:CentralAutoLogin/checkLoggedIn?type=script&wikiid=enwiki&proto=http
• 04:11:11 UTC - 192.168.1.107:49264 - 82.146.52.233:80 - pop.qihuvy.eu - GET /calendar.php?books=574&hotel=4&wifi=701&create=171&video=691&test=408&hotel=200&watch=630
• 04:11:19 UTC - 192.168.1.107:49280 - 88.150.180.36:80 - futurama88.com - GET /load/5/?p=2&t=0&e=0
• 04:11:21 UTC - 192.168.1.107:49280 - 88.150.180.36:80 - futurama88.com - GET /load/5/?p=2&t=1&s=1&e=0
• 04:11:22 UTC - 192.168.1.107:49281 - 5.45.65.142:80 - cc9966.com - GET /cmd?version=1.5&aid=4217&id=18bdcaf9-9790-46fb-8d48-4428f2a90124&os=6.1.7601_1.0_64
• 04:11 UTC - several other GET requests to cc9966.com such as:
• 04:11:37 UTC - 192.168.1.107:49285 - 5.45.65.142:80 - cc9966.com - GET /feed?version=1.20&sid=4217&q=fitness+weight+loss+houston&ref=
  http%3A%2F%2Fwww.webcrawler.com%2Fsearch%2Fweb%3Fq%3Dfitness%2Bweight%2Bloss%2Bhouston&ua=Mozilla/5.0%20(compatible;%20MSIE%2010.0;
  %20Windows%20NT%206.1;%20WOW64;%20Trident/6.0)&lang=en-US
• 04:11:37 UTC - 192.168.1.107:49287 - 5.45.65.142:80 - cc9966.com - GET /feed?version=1.20&sid=4217&q=can+you+be+denied+life+insurance+
  because+of+a+benig+brain+tumor&ref=http%3A%2F%2Fmsxml.excite.com%2Fsearch%2Fweb%3Fq%3Dcan%2Byou%2Bbe%2Bdenied%2Blife%2Binsurance%2B
  because%2Bof%2Ba%2Bbenig%2Bbrain%2Btumor&ua=Mozilla/5.0%20(compatible;%20MSIE%2010.0;%20Windows%20NT%206.1;%20Trident/6.0)&lang=en-US
• 04:11:37 UTC - 192.168.1.107:49288 - 5.45.65.142:80 - cc9966.com - GET /feed?version=1.20&sid=4217&q=2013+top+ranked+health+insurance+
  plans+california&ref=http%3A%2F%2Fwww.webcrawler.com%2Fsearch%2Fweb%3Fq%3D2013%2Btop%2Branked%2Bhealth%2Binsurance%2Bplans%2Bcalifornia
  &ua=Mozilla/5.0%20(compatible;%20MSIE%2010.0;%20Windows%20NT%206.1;%20Trident/6.0)&lang=en-US
• approximately 300 more HTTP GET requests in the PCAP through 04:11:52 UTC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  czJInaMB.xap
File size:  5.2 KB ( 5337 bytes )
MD5 hash:  fd51f8ffbe8c9dbb323b2dc2ae63827e
Detection ratio:  1 / 48
First submission:  2014-02-11 03:52:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/b31485f99bea716f2f48a4f5d55b93d7941227eed668a8649c0e34b0b5419e56/analysis/

 

FIESTA EK JAVA EXPLOIT

File name:  WPIKFt1N.jar
File size:  7.1 KB ( 7243 bytes )
MD5 hash:  10040755960a9a57cf4f0a1659acaed9
Detection ratio:  0 / 47
First submission:  2014-02-11 03:55:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/78c695acb7df1c727a7bc719040612230b05bed3826611c3961e113c78e7e0c6/analysis/

 

FIESTA EK MALWARE PAYLOAD

File name:  flashplayer11_7r14357_316_win.exe
File size:  119.9 KB ( 122828 bytes )
MD5 hash:  1d184f194298db74373598d8b570fef1
Detection ratio:  31 / 47
First submission:  2014-02-11 03:56:14 UTC
VirusTotal link: https://www.virustotal.com/en/file/a97344e8e651933f7035820f4697a1d0af217ac6cefc21f040c6c8c1645ceae2/analysis/

 

SWEET ORANGE EK MALWARE PAYLOAD

File name:  additional-malware-from-pop.qihuvy.eu.exe
File size:  295.5 KB ( 302592 bytes )
MD5 hash:  1d184f194298db74373598d8b570fef1
Detection ratio:  9 / 31
First submission:  2014-02-15 02:06:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/2c2a39c67396afc1a3e9a2b1fc062c507b8923121d8aba5139602ddf314c5ad7/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR FIESTA EK TRAFFIC (FROM SECURITY ONION)

• 2014-02-11 02:19:36 - 192.168.204.161:49967 - 190.123.47.198:80 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
• 2014-02-11 02:19:37 - 192.168.204.161:49974 - 64.202.116.124:80 - ET CURRENT_EVENTS FiestaEK js-redirect
• 2014-02-11 02:19:37 - 192.168.204.161:49974 - 64.202.116.124:80 - ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit
• 2014-02-11 02:19:37 - 64.202.116.124:80 - 192.168.204.161:49974 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• 2014-02-11 02:19:41 - 192.168.204.161:49982 - 64.202.116.124:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
• 2014-02-11 02:19:51 - 64.202.116.124:80 - 192.168.204.161:49989 - ET POLICY PE EXE or DLL Windows file download
• 2014-02-11 02:19:51 - 64.202.116.124:80 - 192.168.204.161:49989 - ET INFO EXE - Served Inline HTTP
• 2014-02-11 02:19:51 - 64.202.116.124:80 - 192.168.204.161:49989 - ET CURRENT_EVENTS Fiesta - Payload - flashplayer11
• 2014-02-11 02:19:53 - 192.168.204.161:49993 - 64.202.116.124:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-02-11 02:19:53 - 192.168.204.161:49993 - 64.202.116.124:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
• 2014-02-11 02:19:53 - 64.202.116.124:80 - 192.168.204.161:49993 - ET CURRENT_EVENTS Cool/BHEK Applet with Alpha-Numeric Encoded HTML entity
• 2014-02-11 02:19:56 - 64.202.116.124:80 - 192.168.204.161:50000 - ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
• 2014-02-11 02:19:56 - 64.202.116.124:80 - 192.168.204.161:50000 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-02-11 02:19:56 - 64.202.116.124:80 - 192.168.204.161:50000 - ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
• 2014-02-11 02:19:56 - 64.202.116.124:80 - 192.168.204.161:50000 - ET TROJAN Generic - 8Char.JAR Naming Algorithm

 

SNORT EVENTS FOR PHYSICAL HOST INFECTION AND CLICK FRAUD TRAFFIC (FROM SECURITY ONION)

As mentioned earlier, the EXE payload didn't do anything on the VM, so I executed the EXE from a physical host's AppData/Local/Temp directory.

• 2014-02-11 04:06:04 - 192.168.1.107:49257 - 178.250.245.198:80 - PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
• 2014-02-11 04:11:06 - 88.150.196.5:80 - 192.168.1.107:49263 - ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ
• 2014-02-11 04:11:06 - 88.150.196.5:80 - 192.168.1.107:49263 - ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS
• 2014-02-11 04:11:06 - 88.150.196.5:80 - 192.168.1.107:49263 - ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS
• 2014-02-11 04:11:06 - 192.168.1.107:49263 - 88.150.196.5:80 - ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ
• 2014-02-11 04:11:06 - 192.168.1.107:49263 - 88.150.196.5:80 - ET CURRENT_EVENTS TDS Sutra - request in.cgi
• 2014-02-11 04:11:11 - 192.168.1.107:49264 - 82.146.52.233:80 - ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request
• 2014-02-11 04:11:11 - 82.146.52.233:80 - 192.168.1.107:49264 - ET POLICY PE EXE or DLL Windows file download
• 2014-02-11 04:11:19 - 192.168.1.107:49280 - 88.150.180.36:80 - ET TROJAN Suspicious User-Agent (IE)
• 2014-02-11 04:11:19 - 192.168.1.107:49280 - 88.150.180.36:80 - ET TROJAN Suspicious UA (^IE[\d\s])
• 2014-02-11 04:11:20 - 88.150.180.36:80 - 192.168.1.107:49280 - ET SHELLCODE Possible Call with No Offset TCP Shellcode
• 2014-02-11 04:11:52 - 192.168.1.107:49530 - 184.51.102.81:80 - PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page:
forum.freeadvice.com/landlord-tenant-issues-42/automatic-renewal-386017.html

 

Redirect:
newblogsherehally.com/sdqgfwev.js?27d69957fc93b5b2

 

Fiesta EK domain delivers Silverlight exploit:
ucrysy.in.ua/wu2shc5/?664175148e6103c3455a420a040e00000503030a0357010f030452080f0d5306;5110411

 

Fiesta EK Silverlight exploit delivers EXE payload:
ucrysy.in.ua/wu2shc5/?43d43b85d096ee70514b010f005909010706530f0700080e0101020d0b5a5a07;1;6

 

Fiesta EK domain delivers Java exploit:
ucrysy.in.ua/wu2shc5/?43d43b85d096ee70514b010f005909010706530f0700080e0101020d0b5a5a07;1;6

 

Fiesta EK Java exploit delivers EXE payload:
ucrysy.in.ua/wu2shc5/?6d31151460abbc20551c560a020e00000551040a0557010f03565508090d5306;1;4

 

Post infection, Sweet Orange EK delivers EXE payload:
pop.qihuvy.eu/calendar.php?books=574&hotel=4&wifi=701&create=171&video=691&test=408&hotel=200&watch=630

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-02-11-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-02-11-Fiesta-EK-malware.zip
• ZIP of the post-infection PCAP:  2014-02-11-post-infection-traffic.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.