2014-04-01 - FIESTA EK - 3 EXAMPLES

ASSOCIATED FILES:

• ZIP of the PCAPS:  2014-04-01-Fiesta-EK-all-pcaps.zip
• ZIP file of the malware:  2014-04-01-Fiesta-EK-malware.zip

NOTES:

• The same Silverlight exploit and Java exploit was seen in all three VM infections.
• The Fiesta EK infection on 2014-04-01 appears to have delivered two payloads--a 140K payload and a 770K payload; however, I only recovered the 140 K payload from the infected VM.

 

CHAIN OF EVENTS

FIRST FIESTA EK INFECTION - 31 MAR 2014

• 98.158.194.149 - www.cruisemates.com - Comrpomised web site
• 190.123.47.198 - ariasty.org - Redirect
• 64.202.116.124 - cloudm.in.ua - Fiesta EK
• 91.230.60.54 - kuyuacgsiowawsqa.org - Post-infection callback

• 21:01:42 UTC - www.cruisemates.com - GET /forum/royal-caribbean-international/349007-new-spa-prices-royal-caribbean-s-adventure-sea-s.html
• 21:01:44 UTC - ariasty.org - GET /sqgehnkj.js?14a763736e2ce34b
• 21:01:45 UTC - cloudm.in.ua - GET /5butqfk/?2
• 21:01:50 UTC - cloudm.in.ua - GET /5butqfk/?408b1b12d329596d475c4e59035907000501035653520a0707030106065054;5110411
• 21:02:01 UTC - cloudm.in.ua - GET /5butqfk/?4d213e8b7d7bbcdf5714590a015e0e50055509055155035707570b5504575d;6
• 21:02:03 UTC - cloudm.in.ua - GET /5butqfk/?0b07baf3ed13a5b45a0c5c0c505a500101530b0300515d0603510953555303
• 21:02:03 UTC - cloudm.in.ua - GET /5butqfk/?3ecfecb9ff80847e5c0a015d5758540b025458520753590c00565a02525752
• 21:02:04 UTC - cloudm.in.ua - GET /5butqfk/?3ecfecb9ff80847e5c0a015d5758540b025458520753590c00565a02525752
• 21:02:05 UTC - cloudm.in.ua - GET /5butqfk/?016307d217f7966f53495308020c520001000d0752075f0703020f57070501;1;4
• 21:02:06 UTC - cloudm.in.ua - GET /5butqfk/?016307d217f7966f53495308020c520001000d0752075f0703020f57070501;1;4;1
• 21:02:08 UTC - cloudm.in.ua - GET /5butqfk/?4d213e8b7d7bbcdf5714590a015e0e50055509055155035707570b5504575d;6;1
• 21:02:17 UTC - kuyuacgsiowawsqa.org - POST /

 

SECOND FIESTA EK INFECTION - 31 MAR 2014

• 108.168.211.93 - www.subaruoutback.org - Comrpomised web site
• 190.123.47.198 - jollingsi.com - Redirect
• 64.202.116.124 - cloudm.in.ua - Fiesta EK
• 142.91.252.127 - kuyuacgsiowawsqa.org - Post-infection callback

• 21:15:11 UTC - www.subaruoutback.org - GET /forums/104-gen-4-2010-2014/48356-usb-memory-size-2.html
• 21:15:11 UTC - jollingsi.com - GET /hzpgwjlrq.js?95890b98020d723e
• 21:15:12 UTC - cloudm.in.ua - GET /5butqfk/?2
• 21:15:18 UTC - cloudm.in.ua - GET /5butqfk/?4b9064ad4b0380db470e4f0b040f57520553020454045a5107510054570154;5110411
• 21:15:39 UTC - cloudm.in.ua - GET /5butqfk/?34027054e551656950445b09050b030202050b0655000e0100070956560500;6
• 21:15:40 UTC - cloudm.in.ua - GET /5butqfk/?3a02942475397c02590f5c090b0f040202500b065b04090100520956580107
• 21:15:41 UTC - cloudm.in.ua - GET /5butqfk/?33432bd786a3a8145c5c56080059520102020f0750525f0200000d57535556
• 21:15:41 UTC - cloudm.in.ua - GET /5butqfk/?33432bd786a3a8145c5c56080059520102020f0750525f0200000d57535556
• 21:15:42 UTC - cloudm.in.ua - GET /5butqfk/?6cea61758fdd4fd9551b005a040a010307525e5554010c0005505c05570402;1;4
• 21:15:44 UTC - cloudm.in.ua - GET /5butqfk/?6cea61758fdd4fd9551b005a040a010307525e5554010c0005505c05570402;1;4;1
• 21:15:44 UTC - cloudm.in.ua - GET /5butqfk/?34027054e551656950445b09050b030202050b0655000e0100070956560500;6;1
• 21:15:48 UTC - kuyuacgsiowawsqa.org - POST /

 

THIRD FIESTA EK INFECTION - 01 APR 2014

• 198.104.132.205 - www.mapsofworld.com - Comrpomised website
• 209.239.113.37 - chbjaffs.hopto.org - Fiesta EK

• 00:30:39 UTC - www.mapsofworld.com - GET /usa/states/new-jersey/new-jersey-map.html
• 00:30:42 UTC - chbjaffs.hopto.org - GET /fnnzvisxyzblkj4yrvzh66cmpza9ayjtokc
• 00:30:51 UTC - chbjaffs.hopto.org - GET /rmvk30g/?6938ac2f408eef43455545035358005602090a035501025d030a0059515b5054;5110411
• 00:31:11 UTC - chbjaffs.hopto.org - GET /rmvk30g/?033806cc654f6f0653435803020d515304030a030454535805000059000e0151;6
• 00:31:14 UTC - chbjaffs.hopto.org - GET /rmvk30g/?033806cc654f6f0653435803020d515304030a030454535805000059000e0151;6;1
• 00:31:15 UTC - chbjaffs.hopto.org - GET /rmvk30g/?203127d4bfbfbfcf585e5f0a000c560406000a0a0655540f07030050020f0606
• 00:31:20 UTC - chbjaffs.hopto.org - GET /rmvk30g/?3ac48fae260045f35c0e010f0a5d535507515a0f0c04515e06525055085e0556
• 00:31:20 UTC - chbjaffs.hopto.org - GET /rmvk30g/?3ac48fae260045f35c0e010f0a5d535507515a0f0c04515e06525055085e0556
• 00:31:22 UTC - chbjaffs.hopto.org - GET /rmvk30g/?2e632457ae4450a0511d5308000f070706550f080656050c07560552020c5705;1;4
• 00:31:25 UTC - chbjaffs.hopto.org - GET /rmvk30g/?733a187dae4450a0544b565a0303055403030a5a055a075f0200000001005556;2;4

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT SEEN IN ALL THREE INFECTIONS

File name:  2014-03-31-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5396 bytes )
MD5 hash:  85f7d443373e6150333752ce8ba14388
Detection ratio:  0 / 51
First submission:  2014-04-01 00:22:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/977514f84e79294e2c28664beeb5d629263eef7d40ca6919d0396e7e8dd9c9d4/analysis/

 

JAVA EXPLOIT SEEN IN ALL THREE INFECTIONS

File name:  2014-03-31-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7460 bytes )
MD5 hash:  17575d806f5ad6eb1cfa951948f618c0
Detection ratio:  1 / 51
First submission:  2014-04-01 00:22:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/91578a8568e1d3f4b28fc87b9a4274923884b852d2190b51e53f828331d07082/analysis/

 

MALWARE PAYLOAD FOR BOTH INFECTIONS ON 31 MAR 2014

File name:  2014-03-31-Fiesta-EK-malware-payload.exe
File size:  288.0 KB ( 294912 bytes )
MD5 hash:  91f80ac5c63a8e609a521e3a174ce013
Detection ratio:  3 / 51
First submission:  2014-04-01 00:22:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d28a9e727ce8e17104b1c1e04764b62177e0caba02783c730f1a973860de93de/analysis/
Malwr link:  https://malwr.com/analysis/OTQzNDgxYjMwMGU3NGU2MGIwMjM1YzcxMjQ4NGM1YmQ/

 

MALWARE PAYLOAD FOR 01 APR 2014

File name:  2014-04-01-Feista-EK-malware-payload.exe
File size:  140.2 KB ( 143581 bytes )
MD5 hash:  7d35095a22cec16a9470261861a59818
Detection ratio:  3 / 50
First submission:  2014-04-01 02:34:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ea1e25a549b3ae9b7c673ffb22fa9248ff3176827630ea22660c9123bcd1b57/analysis/
Malwr link:  https://malwr.com/analysis/NDdkNjYwNmMzYWU0NGJhZDhlN2U0YjJkMmMzYzA1YWE/

 

SNORT EVENTS

SNORT EVENTS FROM THE FIRST INFECTION ON 31 MAR 2014 (from Sguil on Security Onion)

 

SNORT EVENTS FROM THE SECOND INFECTION ON 31 MAR 2014

 

SNORT EVENTS FOR THE INFECTION TRAFFIC ON 01 APR 2014

 

SOME SCREENSHOTS FROM THE TRAFFIC

Embedded javascript or iframe from the infected web pages:

 

Redirects seen on 2014-03-31:

 

NOTE: The rest of the traffic is similar to what I've already posted several times for Fiesta EK.

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPS:  2014-04-01-Fiesta-EK-all-pcaps.zip
• ZIP file of the malware:  2014-04-01-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.