2014-04-04 - FIESTA EK

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-04-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-04-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 208.43.210.234 - www.electriciantalk.com - Compromised website
• 190.123.47.198 - teleleksi.com - Redirect
• 64.202.116.124 - caploz.in.ua - Fiesta EK

INFECTION CHAIN OF EVENTS

• 07:34:28 UTC - www.electriciantalk.com - GET /f26/please-help-ibew-apprentice-test-1877/
• 07:34:29 UTC - teleleksi.com - GET /bsrpvtjgnh.js?e119089989061590
• 07:34:29 UTC - caploz.in.ua - GET /5butqfk/?2
• 07:34:32 UTC - caploz.in.ua - GET /5butqfk/?15cc4a0af7ef2b9558500f58065a0958060452580003005a0406500601075650
• 07:34:32 UTC - caploz.in.ua - GET /5butqfk/?6553f83e269ca82a4559430854030a5c01040408525a035e03060656535e5554;5110411
• 07:34:34 UTC - caploz.in.ua - GET /5butqfk/?0d99a107ed53494353145202530a090e075508025553000c05570a5c54575604;5
• 07:34:35 UTC - caploz.in.ua - GET /5butqfk/?0d99a107ed53494353145202530a090e075508025553000c05570a5c54575604;5;1
• 07:34:54 UTC - caploz.in.ua - GET /5butqfk/?20fd214f035d286f51400d5f000a0d5f0501575f0653045d0703550107575257;6
• 07:34:55 UTC - caploz.in.ua - GET /5butqfk/?20fd214f035d286f51400d5f000a0d5f0501575f0653045d0703550107575257;6;1
• 07:34:55 UTC - caploz.in.ua - GET /5butqfk/?2e3407d0a0e3d8095317520f020c5d090554020f0455540b0756005105510201
• 07:35:07 UTC - caploz.in.ua - GET /5butqfk/?3af5549ec85617c95019030e070f005c0450570e0156095e0652555000525f54;1;2
• 07:35:07 UTC - caploz.in.ua - GET /5butqfk/?3af5549ec85617c95019030e070f005c0450570e0156095e0652555000525f54;1;2;1

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT CVE-2013-0074

File name:  2014-04-04-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5396 bytes )
MD5 hash:  85f7d443373e6150333752ce8ba14388
Detection ratio:  18 / 51
First submission:  2014-04-01 00:22:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/977514f84e79294e2c28664beeb5d629263eef7d40ca6919d0396e7e8dd9c9d4/analysis/

 

JAVA EXPLOIT CVE-2012-0507

File name:  2014-04-04-Fiesta-EK-java-exploit.jar
File size:  4.8 KB ( 4915 bytes )
MD5 hash:  b06c4c3e58c717a73ff185c87c290cd6
Detection ratio:  12 / 51
First submission:  2014-04-02 18:37:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/adcf72959fc94988c636bf8889cc04843b6b23dcaa584c5d83bb0e955284f84a/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-04-Fiesta-EK-malware-payload.exe
File size:  163.3 KB ( 167217 bytes )
MD5 hash:  7ce240ccd4d8fa71f61cedfcb446af3e
Detection ratio:  11 / 49
First submission:  2014-04-04 08:17:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d5f2b62e7a799c926c0a9862b2afdb06640c6def88f2be22c9d3c54ee4d052ff/analysis/
Malwr link:  https://malwr.com/analysis/ODk1Y2YwOTQwMGY1NDdlMWEzZTZmMWRiYTU0YTBiZmY/

 

SNORT EVENTS

SNORT EVENTS FROM THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-04 07:34:29 UTC - 192.168.204.212:49708 - 190.123.47.198:80 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
• 2014-04-04 07:34:29 UTC - 192.168.204.212:49715 - 64.202.116.124:80 - ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit
• 2014-04-04 07:34:30 UTC - 64.202.116.124:80 - 192.168.204.212:49715 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• 2014-04-04 07:34:32 UTC - 192.168.204.212:49754 - 64.202.116.124:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
• 2014-04-04 07:34:32 UTC - 64.202.116.124:80 - 192.168.204.212:49762 - ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention
• 2014-04-04 07:34:55 UTC - 192.168.204.212:49809 - 64.202.116.124:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
• 2014-04-04 07:34:55 UTC - 192.168.204.212:49809 - 64.202.116.124:80 - ET POLICY Vulnerable Java Version 1.6.x Detected
• 2014-04-04 07:34:56 UTC - 64.202.116.124:80 - 192.168.204.212:49809 - ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
• 2014-04-04 07:34:56 UTC - 64.202.116.124:80 - 192.168.204.212:49809 - ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names
• 2014-04-04 07:34:56 UTC - 64.202.116.124:80 - 192.168.204.212:49809 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-04 07:34:56 UTC - 64.202.116.124:80 - 192.168.204.212:49809 - ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
• 2014-04-04 07:34:56 UTC - 64.202.116.124:80 - 192.168.204.212:49809 - ET TROJAN Generic - 8Char.JAR Naming Algorithm

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page:

 

Redirect:

 

Fiesta EK delivers CVE-2013-2551 IE exploit:

 

CVE-2013-2551 IE exploit delivers EXE payload:

 

Fiesta EK delivers CVE-2013-0074 Silverlight exploit:

 

CVE-2013-0074 Silverlight exploit delivers EXE payload:

 

Fiesta EK delivers CVE-2012-0507 Java exploit:

 

CVE-2012-0507 Java exploit delivers EXE payload:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-04-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-04-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.