2014-03-16 - FIESTA EK USES IE AND JAVA EXPLOITS

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-03-16-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-03-16-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 204.93.211.58 - www.kroatie-vakantie.eu - Compromised website
• 209.239.113.39 - xmjqxjfsub.serveblog.net - Fiesta EK
• various IP addresses - Callback traffic

INFECTION CHAIN OF EVENTS

• 02:36:48 UTC - 192.168.204.189:49353 - 204.93.211.58:80 - www.kroatie-vakantie.eu - GET /
• 02:36:49 UTC - 192.168.204.189:49362 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /zqstj8oyknexpzul0x1cjwtxcirhzbhcjgrsdcv
• 02:36:52 UTC - 192.168.204.189:49390 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /1je6bsz/?6cf412a28e4453ae5f060a0f08095006005756000a0603020d5655060402040604
• 02:36:54 UTC - 192.168.204.189:49392 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /1je6bsz/?7da9b2913abb5f9a54140a025b0908050150510d59065b010c51520b57025c0503;5
• 02:36:55 UTC - 192.168.204.189:49393 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /1je6bsz/?7da9b2913abb5f9a54140a025b0908050150510d59065b010c51520b57025c0503;5;1
• 02:37:02 UTC - 192.168.204.189:49396 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /1je6bsz/?4a4c6e8977aa8032551355580f5e090d025504570d515a090f54075103555d0d06
• 02:37:03 UTC - 192.168.204.189:49398 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /1je6bsz/?2d068c19eca6f74d511c550d0158000d0450000203575309095103040d53540d00;1;2
• 02:37:03 UTC - 192.168.204.189:49400 - 209.239.113.39:80 - xmjqxjfsub.serveblog.net - GET /1je6bsz/?2d068c19eca6f74d511c550d0158000d0450000203575309095103040d53540d00;1;2;1

POST-INFECTION CALLBACK TRAFFIC

• 02:38:55 UTC - 192.168.204.189:49414 - 82.100.48.5:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:39:58 UTC - 192.168.204.189:49417 - 82.100.48.5:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:40:20 UTC - 192.168.204.189:49418 - 205.251.132.233:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:40:56 UTC - 192.168.204.189:49420 - 77.237.121.19:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:41:27 UTC - 192.168.204.189:49421 - 77.237.121.19:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:43:18 UTC - 192.168.204.189:49423 - 205.251.132.233:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:43:55 UTC - 192.168.204.189:49425 - 205.251.132.233:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:44:25 UTC - 192.168.204.189:49426 - 188.165.106.64:443 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:44:56 UTC - 192.168.204.189:49427 - 75.125.144.114:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:46:24 UTC - 192.168.204.189:49431 - 77.237.121.19:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
• 02:46:55 UTC - 192.168.204.189:49432 - 77.237.121.19:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-16-Fiesta-EK-java-exploit.jar
File size:  4.7 KB ( 4859 bytes )
MD5 hash:  6aa4afa29af9ccb2c02700ab2e253c3d
Detection ratio:  8 / 49
First submission:  2014-03-14 16:32:13 UTC
VirusTotal link::  https://www.virustotal.com/en/file/f91aff8edded984f61fc31635f6da9d06cebf85f67d3b8643fcb38c2e889e84c/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-16-Fiesta-EK-malware-payload.exe
File size:  134.0 KB ( 137216 bytes )
MD5 hash:  41d9f2930ccae800ad875938ca137b0a
Detection ratio:  14 / 48
First submission:  2014-03-16 03:01:22 UTC
VirusTotal link::  https://www.virustotal.com/en/file/1c0a0652547a9b71097e51483128025704835f9aaf50da3cf762ab97fc11372f/analysis/
Malwr link::  https://malwr.com/analysis/MmU0ODNlNDcwZTU5NGViNmEwMDI1MjIxMTZmOWNlYjk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-03-16 02:36:50 UTC - 209.239.113.39:80 - 192.168.204.189:49362
  • ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013


• 2014-03-16 02:36:52 UTC - 192.168.204.189:49390 -> 209.239.113.39:90
  • ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex


• 2014-03-16 02:37:02 UTC - 192.168.204.189:49396 -> 209.239.113.39:80
  • ET POLICY Vulnerable Java Version 1.6.x Detected
  • ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain
  • ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii


• 2014-03-16 02:37:02 UTC - 209.239.113.39:80 -> 192.168.204.189:49396
  • ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
  • ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
  • ET TROJAN Generic - 8Char.JAR Naming Algorithm


• 2014-03-16 02:38:55 UTC - 192.168.204.189:49414 -> 82.100.48.5:8080
  • PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
  • ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013


• 2014-03-16 02:44:25 UTC - 192.168.204.189:49426 -> 188.165.106.64:443
  • ET POLICY HTTP traffic on port 443 (POST)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.kroatie-vakantie.eu/

 

Fiesta EK delivers IE exploit -
xmjqxjfsub.serveblog.net/1je6bsz/?6cf412a28e4453ae5f060a0f08095006005756000a0603020d5655060402040604

 

IE exploit delivers malware payload -
xmjqxjfsub.serveblog.net/1je6bsz/?7da9b2913abb5f9a54140a025b0908050150510d59065b010c51520b57025c0503;5

 

Fiesta EK delivers Java exploit -
xmjqxjfsub.serveblog.net/1je6bsz/?4a4c6e8977aa8032551355580f5e090d025504570d515a090f54075103555d0d06

 

Java exploit delivers malware payload -
xmjqxjfsub.serveblog.net/1je6bsz/?2d068c19eca6f74d511c550d0158000d0450000203575309095103040d53540d00;1;2

 

Example of the malware callback traffic - 82.100.48.5:8080/76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-03-16-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-03-16-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.