2014-06-05 - FIESTA EK FROM 64.202.116.151 - DOGINTOO.IN.UA

ASSOCIATED FILES:

• ZIP of PCAPs:  2014-06-05-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-05-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 108.168.252.27 - www.wranglerforum.com - Compromised website
• 75.102.9.195 - frozerry.com - Redirect
• 64.202.116.151 - dogintoo.in.ua - Fiesta EK
• 195.2.253.38 - 195.2.253.38 - Post-infection callback

COMPROMISED WEBSITE AND REDIRECT:

• 18:48:45 UTC - www.wranglerforum.com - GET /
• 18:48:46 UTC - frozerry.com - GET /piNfcJgSomh3ws.js?pNY6ZT4=3ef0a6cb541dab381d00f5a18ef23c

FIESTA EK:

• 18:48:47 UTC - dogintoo.in.ua - GET /v20idaf/2
• 18:48:48 UTC - dogintoo.in.ua - GET /v20idaf/106b45df758a527142475059060e5750080604590057545d04030f5256575507;112202;228
• 18:48:48 UTC - dogintoo.in.ua - GET /v20idaf/58c006617a2067d85c5d0f0b020d05070c0e510b0454060a000b5a0052540750
• 18:48:48 UTC - dogintoo.in.ua - GET /v20idaf/44ef81d1ab53e4674758135d0a0a57070d02575d0c53540a01075c565a535550;4060129
• 18:48:48 UTC - dogintoo.in.ua - GET /v20idaf/66e7367e8e92642255460e0c010d04530f00570c0754075e03055c0751540604;6
• 18:48:49 UTC - dogintoo.in.ua - GET /v20idaf/66e7367e8e92642255460e0c010d04530f00570c0754075e03055c0751540604;6;1
• 18:48:50 UTC - dogintoo.in.ua - GET /v20idaf/7e345e3c8e9264225415580f075e00550e53010f0107035802560a0457070202;4
• 18:48:51 UTC - dogintoo.in.ua - GET /v20idaf/7e345e3c8e9264225415580f075e00550e53010f0107035802560a0457070202;4;1
• 18:48:52 UTC - dogintoo.in.ua - GET /v20idaf/55f0074a8e92642256450d0b020c07570c03540b0455045a00065f0052550500;5
• 18:48:53 UTC - dogintoo.in.ua - GET /v20idaf/55f0074a8e92642256450d0b020c07570c03540b0455045a00065f0052550500;5;1
• 18:49:02 UTC - dogintoo.in.ua - GET /v20idaf/04efdc142d2c94445146045d565802020902575d5001010f05075c5606010055
• 18:49:05 UTC - dogintoo.in.ua - GET /v20idaf/3d89ab2645995b84501c5d02535901000a520a025500020d0657010903000357;1;2
• 18:49:05 UTC - dogintoo.in.ua - GET /v20idaf/3d89ab2645995b84501c5d02535901000a520a025500020d0657010903000357;1;2;1

POST-INFECTION CALLBACK TRAFFIC:

• 18:48:58 UTC - 195.2.253.38 - POST /
• 18:48:58 UTC - 195.2.253.38 - POST /
• 18:49:00 UTC - 195.2.253.38 - POST /
• 18:49:11 UTC - 195.2.253.38 - POST /

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-05-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9999 bytes )
MD5 hash:  7968f2df33712bc73561930180b1a1a8
Detection ratio:  1 / 50
First submission:  2014-06-04 22:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f629890d379bc3795f8526ee9c93eb4f3fee65807b8e398e0c0273d0106c4ba2/analysis/

File name:  2014-06-05-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15.3 KB ( 15662 bytes )
MD5 hash:  3c0ef113f37e46a1b8ed10f2457d7111
Detection ratio:  1 / 51
First submission:  2014-06-05 22:09:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2ef370bfcd64ffb91ac5e1ff28d41f71504a49cbbcba178df5a95ba6619971f/analysis/

 

JAVA EXPLOIT

File name:  2014-06-05-Fiesta-EK-java-exploit.jar
File size:  4.7 KB ( 4766 bytes )
MD5 hash:  22341b4cebca1696647a4966a9bf93ef
Detection ratio:  6 / 51
First submission:  2014-06-05 17:25:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b2740cf3612a235ac6f2c4a4969ce59883bc81bcfd9c3db9723b05316a807479/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-05-Fiesta-EK-silverlight-exploit.xap
File size:  11.2 KB ( 11458 bytes )
MD5 hash:  12952a3839c4fbb3f315fb55ac3b77b2
Detection ratio:  0 / 50
First submission:  2014-06-05 22:09:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/514cec2e3ee686bc7d171ec424bb54b4ab88dfcb2b9231cb86dfd0ce12c1099f/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-05-Fiesta-EK-malware-payload.exe
File size:  132.5 KB ( 135692 bytes )
MD5 hash:  a379bc80f7bedbe1ba3a3c375a49150f
Detection ratio:  21 / 47
First submission:  2014-06-05 15:58:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/96204263f119d1ab54094104f63bbabe075cae8983f37b59c355dd002652b906/analysis/
Malwr link:  https://malwr.com/analysis/YjY5ZjRmZmE5ODFlNGFmOTg5MGEzMzg4YjczZmRlOTM/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats or ETPRO rulesets:

• 2014-06-05 18:49:05 UTC - 172.16.165.133:49304 - 64.202.116.151:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-06-05 18:49:05 UTC - 64.202.116.151:80 - 172.16.165.133:49304 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-06-05 18:49:05 UTC - 64.202.116.151:80 - 172.16.165.133:49304 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-06-05 18:49:19 UTC - 172.16.165.133:49301 - 64.202.116.151:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)

Sourcefire VRT ruleset:

• 2014-06-05 18:49:05 UTC - 64.202.116.151:80 - 172.16.165.133:49304 - EXPLOIT-KIT Angler exploit kit Silverlight exploit download (sid:28612)
• 2014-06-05 18:49:05 UTC - 172.16.165.133:49304 - 64.202.116.151:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
• 2014-06-05 18:49:19 UTC - 64.202.116.151:80 - 172.16.165.133:49301 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-05-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-05-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.