2014-06-11 - FIESTA EK FROM 64.202.116.151 - DOTCOMOR.IN.UA

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-11-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-11-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 208.43.210.234 - www.electriciantalk.com - Compromised website
• 75.102.9.195 - homyakys.com - Redirect
• 64.202.116.151 - dotcomor.in.ua - Fiesta EK
• 79.142.66.240 - report.i1qgmy7c31uo317i31.com, report.q17c3179g179317931.com, and report.1i9qgm9gm7g31aa3.com - Post-infection callback
• 5.149.248.153 - report.317c31u9mywsk1ywsk.com and update1.x887bn03fp.com - additional Post-infection callback noted in Malwr.com sandbox analysis

COMPROMISED WEBSITE AND REDIRECT:

• 06:56:12 UTC - www.electriciantalk.com - GET /f17/
• 06:56:14 UTC - homyakys.com - GET /aDRdISwCp3TUb4q.js?I0Kw=3eb92963a3c0b645fb979

FIESTA EK:

• 06:56:15 UTC - dotcomor.in.ua - GET /v20idaf/2
• 06:56:19 UTC - dotcomor.in.ua - GET /v20idaf/589c0221b902a302464f5f5802090102070d00580450020a000b005456560201;120000;38
• 06:56:20 UTC - dotcomor.in.ua - GET /v20idaf/316c469567db1514405d4058060d0a0601040f580054090e06020f5452520905;5110411
• 06:56:21 UTC - dotcomor.in.ua - GET /v20idaf/1f498b3e421a955152165f020a59005603530d020c00035e04550d0e5e060355;6
• 06:56:23 UTC - dotcomor.in.ua - GET /v20idaf/1f498b3e421a955152165f020a59005603530d020c00035e04550d0e5e060355;6;1
• 06:56:32 UTC - dotcomor.in.ua - GET /v20idaf/13e8c26498ea45985b5d09035109050703065c035750060f04005c0f05560604
• 06:56:32 UTC - dotcomor.in.ua - GET /v20idaf/39ba06ef421a95515049095a020d5655010c5b5a0454555d060a5b5656525556;5
• 06:56:34 UTC - dotcomor.in.ua - GET /v20idaf/39ba06ef421a95515049095a020d5655010c5b5a0454555d060a5b5656525556;5;1
• 06:56:34 UTC - dotcomor.in.ua - GET /v20idaf/663e874b4e1429635959515e0a0c075104030a5e0c55045903050a525e530553
• 06:56:34 UTC - dotcomor.in.ua - GET /v20idaf/663e874b4e1429635959515e0a0c075104030a5e0c55045903050a525e530553
• 06:56:36 UTC - dotcomor.in.ua - GET /v20idaf/39f32f8a8911aaf750410308005d0b52010c5f080604085a060a5f0454020851;1;3
• 06:56:37 UTC - dotcomor.in.ua - GET /v20idaf/39f32f8a8911aaf750410308005d0b52010c5f080604085a060a5f0454020851;1;3;1

POST-INFECTION CALLBACK TRAFFIC:

• 06:56:24 UTC - report.i1qgmy7c31uo317i31.com - GET /?k3y7cE20=%96%CB%A7%A3%A2%A6%90%CDf%AA%C8%A3%B1%9B%9Bka%AA%A7%98ei%9C%96%95c
  %98%D1%A6%9Fg%ADj%89%BC%A8m%E9%DB %A7%95%E7%DD%92%A6b%A3%A0%A4%A9%5D%CF%A1%98%B2%D4%A1%5E%8C%BCY%9E%97%C7%AC
  %9D%A1i%B0z%9Awdi%AB%A6%B5%A0%A3%A7q%9Ca%B3%AB%B0%A9%7D%94vt%A5%A7ybx%A0Y%A3%93%D6%AC%9E%9Bc%A9g%95ub%60%A2%95%A1%
  9F%A2%A4%5E%99a%A1%97%93%EFt%93ca%A5%9Fehi%8F%A5%ABk%99%A3%91
• 06:56:34 UTC - report.q17c3179g179317931.com - GET /?U93120=%96%CB%A7%A3%A2%A6%90%D5fp%C4ii%9Bq%9Falq%98eil%96%95c%98%D1%A6%89mgdX
  %A7%E8%A2%E7%E5%A9%9A%A3%DA%95t%94ejni%8D%9D%A5%A0p%96%A5f%88%84T%D0%D8%D1%92iigis%A9%97%A2%A8%AB%B5s%A2bj%A6fay%7D%A
  Aa%7Djvtgqybo%9A%95%DF%BA%ACpbb%60%A2%95%A2%9F%A2%A4%5E%A1bg%93cagi%97a%5D%60%9A %A1%93%C7%B3pgfT
• 06:56:38 UTC - report.1i9qgm9gm7g31aa3.com - GET /?9o17m20=%96%CB%A7%A3%A2%A6%90%95%9Er%D2%9D%A5%9D%9F%A5g%9Ck%96%95%93f%91%C
  7%A4%A2%9B%A8ek%A1eV%E9%DB%AD%E6%E8%ABT %A6%D2%9D%AE%98%9Fr%9E%9D%5D%D3%A1%98%9E%C6%A1%5B%B8%C2%93%A6%D8%95t%9D
  hf%A9%A8%A7%A1%A4%ADgr%AEj%A2%9A%B0l%97%AF%7B%AAcw%92%A4v%5E%9B%B5%9Ez%A6W%A9%D2%A5m%A3%95%A0%9F %A2%A6%5Ea%99i%A1
  %98%9Di%97%9Dg%97ca%87%D7p%5E%93%9F%9Di%A1hi%93%A4%AA%AF%9B%A4%93

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-11-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 10011 bytes )
MD5 hash:  3776a85e1d72c3b2891324074b321cc1
Detection ratio:  2 / 54
First submission:  2014-06-13 05:14:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/70e576688db8155eefff7cf42134e3f5d9fd4e427beec3067b421408454eb3c9/analysis/

 

JAVA EXPLOIT

File name:  2014-06-11-Fiesta-EK-java-exploit.jar
File size:  7.7 KB ( 7851 bytes )
MD5 hash:  bb668b724fbf749c62094a014ae01861
Detection ratio:  4 / 54
First submission:  2014-06-10 15:07:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8c87de523be610095c9f32feb4772125b4c49755fbae662bb9237f45c2f4ca14/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-11-Fiesta-EK-silverlight-exploit.xap
File size:  11.2 KB ( 11482 bytes )
MD5 hash:  88b15ddb871b858e384fb3ebb17991a9
Detection ratio:  2 / 54
First submission:  2014-06-10 10:16:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/daccb1628ac8ed91c31aa438e96e9732ffa2de7aa4de25d37a49bcb34e3b472c/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-11-Fiesta-EK-malware-payload.exe
File size:  615.5 KB ( 630272 bytes )
MD5 hash:  b74176ab760cd4752749576e879288f7
Detection ratio:  33 / 54
First submission:  2014-06-11 17:25:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b0e6179f59b6a11f545703293e501bd567429afc423b849284c3202fbee7acb1/analysis/
Malwr link:  https://malwr.com/analysis/YWE1ZjJiNmVkYmUzNDE0OWJlMmNkYWY1OWI1OTFhODI/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

• 2014-06-11 06:56:19 UTC - 64.202.116.151:80 - 192.168.204.229:51463 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-06-11 06:56:19 UTC - 192.168.204.229:51463 - 64.202.116.151:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-06-11 06:56:20 UTC - 64.202.116.151:80 - 192.168.204.229:51464 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-06-11 06:56:24 UTC - 192.168.204.229:51480 - 79.142.66.240:80 - ET TROJAN Simda.C Checkin (sid:2016300)
• 2014-06-11 06:56:32 UTC - 64.202.116.151:80 - 192.168.204.229:51493 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)
• 2014-06-11 06:56:32 UTC - 192.168.204.229:51493 - 64.202.116.151:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)

Sourcefire VRT ruleset:

• 2014-06-11 06:56:19 UTC - 192.168.204.229:51463 - 64.202.116.151:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
• 2014-06-11 06:56:20 UTC - 64.202.116.151:80 - 192.168.204.229:51464 - EXPLOIT-KIT Angler exploit kit Silverlight exploit download (sid:28612)
• 2014-06-11 06:56:34 UTC - 64.202.116.151:80 - 192.168.204.229:51497 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-11-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-11-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.