2014-06-07 - FIESTA EK FROM 85.25.20.27 - RUKMNQYEGT.REDIRECTME.NET

ASSOCIATED FILES:

• ZIP of PCAPs:  2014-06-07-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-07-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 31.47.241.104 - erw-in.de - Compromised website
• 85.25.20.27 - rukmnqyegt.redirectme.net - Fiesta EK

COMPROMISED WEBSITE:

• 01:51:58 UTC - erw-in.de - GET /

FIESTA EK:

• 01:52:01 UTC - rukmnqyegt.redirectme.net - GET /osf3tyzhuohcvpxoythoclzqruiis6rxd9w
• 01:52:07 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/7663b30374544eb6444150085108010203060407590752030c03050a5004000607;120000;38
• 01:52:07 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/10143be4805e2251425c470f0059540505000300085607040a05020d0155550101;5110411
• 01:52:15 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/0bd7488186cd56ce53120f0c07030900045256030f0c5a010b57570e060f080400;5
• 01:52:16 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/0bd7488186cd56ce53120f0c07030900045256030f0c5a010b57570e060f080400;5;1
• 01:52:17 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/5c33635d64afdc0a5f0d5f0805080455015301070d0757540e56000a0404055105
• 01:52:17 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/210e6e6e86cd56ce51415b5e055e0754060102510d5154550904035c0452065002;6
• 01:52:18 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/210e6e6e86cd56ce51415b5e055e0754060102510d5154550904035c0452065002;6;1
• 01:52:19 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/0578ac717de201475f5a5503525806000405050c5a5755010b0004015354070700
• 01:52:19 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/0578ac717de201475f5a5503525806000405050c5a5755010b0004015354070700
• 01:52:20 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/33085a3bb9b35b2c504b5503065a02530703020c0e555152080603010756035703;1;3
• 01:52:21 UTC - rukmnqyegt.redirectme.net - GET /p1c6drv/33085a3bb9b35b2c504b5503065a02530703020c0e555152080603010756035703;1;3;1

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-07-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9999 bytes )
MD5 hash:  2014-06-07-Fiesta-EK-flash-exploit.swf
Detection ratio:  1 / 36
First submission:  2014-06-04 22:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f629890d379bc3795f8526ee9c93eb4f3fee65807b8e398e0c0273d0106c4ba2/analysis/

File name:  2014-06-07-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15.3 KB ( 15662 bytes )
MD5 hash:  3c0ef113f37e46a1b8ed10f2457d7111
Detection ratio:  2 / 51
First submission:  2014-06-05 22:09:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2ef370bfcd64ffb91ac5e1ff28d41f71504a49cbbcba178df5a95ba6619971f/analysis/

 

JAVA EXPLOIT

File name:  2014-06-07-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7446 bytes )
MD5 hash:  ed2e61b302c6ed7ccb3699cc33d23f71
Detection ratio:  1 / 50
First submission:  2014-06-07 02:09:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92d1bcb375d26a8d55e117b79ae3d41fc2a6cb4e55688c7815b0e732f099b8fc/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-07-Fiesta-EK-silverlight-exploit.xap
File size:  11.2 KB ( 11458 bytes )
MD5 hash:  12952a3839c4fbb3f315fb55ac3b77b2
Detection ratio:  3 / 51
First submission:  2014-06-05 22:09:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/514cec2e3ee686bc7d171ec424bb54b4ab88dfcb2b9231cb86dfd0ce12c1099f/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-07-Fiesta-EK-malware-payload.exe
File size:  132.0 KB ( 135176 bytes )
MD5 hash:  866feb555402f3187e335617b4f83210
Detection ratio:  4 / 50
First submission:  2014-06-07 02:00:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c8584322005284e2e7cdee083bbc6d4ac510ca413dacbd4f520abe6636ab0b49/analysis/
Malwr link:  https://malwr.com/analysis/ODVhNzY5NWM2ZDg3NDdhMmI0YjNhN2U1YTBhMzkzNzA/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

• 2014-06-07 01:52:22 UTC - 85.25.20.27:80 - 172.16.165.132:49700 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-06-07 01:52:22 UTC - 172.16.165.132:49701 - 85.25.20.27:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-06-07 01:52:23 UTC - 85.25.20.27:80 - 172.16.165.132:49701 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-06-07 01:52:31 UTC - 172.16.165.132:49702 - 85.25.20.27:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 2014-06-07 01:52:31 UTC - 172.16.165.132:49702 - 85.25.20.27:80 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain (sid:2016582)
• 2014-06-07 01:52:32 UTC - 85.25.20.27:80 - 172.16.165.132:49702 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)

Sourcefire VRT ruleset:

• 2014-06-07 01:52:22 UTC - 172.16.165.132:49700 - 85.25.20.27:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
• 2014-06-07 01:52:23 UTC - 85.25.20.27:80 - 172.16.165.132:49701 - EXPLOIT-KIT Angler exploit kit Silverlight exploit download (sid:28612)
• 2014-06-07 01:52:34 UTC - 85.25.20.27:80 - 172.16.165.132:49702 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

 

SCREENSHOT FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-07-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-07-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.