2014-04-05 - FIESTA EK

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-05-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-05-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 69.64.39.155 - kdypotlwyv.myvnc.com - Fiesta EK
• 46.165.222.218 - 46.165.222.218 - Callback traffic seen

INFECTION CHAIN OF EVENTS

• 21:52:26 UTC - kdypotlwyv.myvnc.com - GET /zceesbkj9r2qtdburl5qmqgw0a2iryjaq1lfbtp
• 21:52:34 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?6dc0ff6f0214a7ed5f070e0b575d0450045256025d5254560d515004565154570e
• 21:52:34 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?1dadd6077255c2f74208175f550d0201035254565f0252070a5152505401520609;4050524
• 21:52:35 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?42e4e13a51be06075d51030f540a0157060450065e0551510f0756005506515304
• 21:52:40 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?5eb2d41a96a43cac5f0b0e09550f0357075357005f0053510e505106540353500d
• 21:52:41 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?15bef39174c6b6685245095e57080b07030357575d075b010a00515156045b0009;6
• 21:52:43 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?15bef39174c6b6685245095e57080b07030357575d075b010a00515156045b0009;6;1
• 21:52:44 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?3a8d6d2c6851cce65c0e5a5f075f005501570d560d50505308540b500653505105
• 21:52:44 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?3a8d6d2c6851cce65c0e5a5f075f005501570d560d50505308540b500653505105
• 21:52:45 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?4047ad224bb8bb8a5748510c505f0004060601055a5050020f050703515350030c;1;4
• 21:52:48 UTC - kdypotlwyv.myvnc.com - GET /rmvk30g/?4047ad224bb8bb8a5748510c505f0004060601055a5050020f050703515350030c;1;4;1

POST-INFECTION CALLBAKC

• 21:53:21 UTC - 46.165.222.218 - POST /

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT - CVE-2013-0074

File name:  2014-04-05-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5396 bytes )
MD5 hash:  85f7d443373e6150333752ce8ba14388
Detection ratio:  18 / 51
First submission:  2014-04-01 00:22:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/977514f84e79294e2c28664beeb5d629263eef7d40ca6919d0396e7e8dd9c9d4/analysis/

 

JAVA EXPLOIT

File name:  2014-04-05-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7460 bytes )
MD5 hash:  17575d806f5ad6eb1cfa951948f618c0
Detection ratio:  7 / 51
First submission:  2014-04-01 00:22:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/91578a8568e1d3f4b28fc87b9a4274923884b852d2190b51e53f828331d07082/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-05-Fiesta-EK-malware-payload.exe
File size:  138.4 KB ( 141687 bytes )
MD5 hash:  62639b4c0e3861c4afb71e2692e0f2bf
Detection ratio:  4 / 51
First submission:  2014-04-05 22:37:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ca596f7b9966f737768f184c8b2f539a0b87ebe55bdba750c61d4cadb9d8a03/analysis/
Malwr link:  https://malwr.com/analysis/MGIyMjAwMWEwODE5NDBhZTk2OTVjZmQwMzc1MjI0NmI/

 

SNORT EVENTS

SNORT EVENTS FROM THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-05 21:52:26 UTC - 172.16.117.132:49373 - 69.64.39.155:80 - ET INFO HTTP Connection To DDNS Domain Myvnc.com
• 2014-04-05 21:52:27 UTC - 69.64.39.155:80 - 172.16.117.132:49373 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• 2014-04-05 21:52:34 UTC - 172.16.117.132:49379 - 69.64.39.155:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
• 2014-04-05 21:52:35 UTC - 69.64.39.155:80 - 172.16.117.132:49380 - ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention
• 2014-04-05 21:52:40 UTC - 172.16.117.132:49387 - 69.64.39.155:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-04-05 21:52:40 UTC - 172.16.117.132:49387 - 69.64.39.155:80 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain
• 2014-04-05 21:52:40 UTC - 172.16.117.132:49387 - 69.64.39.155:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
• 2014-04-05 21:52:41 UTC - 69.64.39.155:80 - 172.16.117.132:49387 - ET CURRENT_EVENTS Possible J7u21 click2play bypass
• 2014-04-05 21:52:44 UTC - 69.64.39.155:80 - 172.16.117.132:49393 - ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
• 2014-04-05 21:52:44 UTC - 69.64.39.155:80 - 172.16.117.132:49393 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-05 21:52:44 UTC - 69.64.39.155:80 - 172.16.117.132:49393 - ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
• 2014-04-05 21:52:44 UTC - 69.64.39.155:80 - 172.16.117.132:49393 - ET TROJAN Generic - 8Char.JAR Naming Algorithm
• 2014-04-05 21:53:21 UTC - 172.16.117.132:49397 - 46.165.222.218:80 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

 

MISC

Embedded javascript in the infected web page that led to the Fiesta exploit kit:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-05-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-05-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.