2014-06-14 - FIESTA EK FROM 64.202.116.151 - DEASTOME.IN.UA

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-14-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-06-14-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 199.91.124.30 - talkofthevillages.com - Compromised website
• 75.102.9.195 - easyslowz.com - Redirect
• 64.202.116.151 - deastome.in.ua - Fiesta EK

COMPROMISED WEBSITE AND REDIRECT:

• 23:22:25 UTC - talkofthevillages.com - GET /
• 23:22:26 UTC - easyslowz.com - GET /iuK7boGCJA.js?kWvl=4ce427f

FIESTA EK:

• 23:22:27 UTC - deastome.in.ua - GET /v20idaf/2
• 23:22:28 UTC - deastome.in.ua - GET /v20idaf/1b1bc3e2606ec9c94215575951085206005b07595751550904510801070b5c57;112202;228
• 23:22:28 UTC - deastome.in.ua - GET /v20idaf/40b77fd96fc4fc605d550e0c055d530d0509540c0304540201035b54535e5d5c
• 23:22:29 UTC - deastome.in.ua - GET /v20idaf/6130c376beb77fdf455d450b510800020708050b5751070d03020a53070b0e53;4060129
• 23:22:30 UTC - deastome.in.ua - GET /v20idaf/49f93c10027fae2057490d0201580604050050020701010b010a5f5a575b0856;4
• 23:22:31 UTC - deastome.in.ua - GET /v20idaf/49f93c10027fae2057490d0201580604050050020701010b010a5f5a575b0856;4;1
• 23:22:35 UTC - deastome.in.ua - GET /v20idaf/26f51f5a9b76ff9a51460d0e035d0255030f500e0504055a07055f56555e0c04;5
• 23:22:36 UTC - deastome.in.ua - GET /v20idaf/26f51f5a9b76ff9a51460d0e035d0255030f500e0504055a07055f56555e0c04;5;1
• 23:22:37 UTC - deastome.in.ua - GET /v20idaf/22ba98389b76ff9a5142095a0b03040c030b545a0d5a030307015b025d000a5d;6
• 23:22:38 UTC - deastome.in.ua - GET /v20idaf/22ba98389b76ff9a5142095a0b03040c030b545a0d5a030307015b025d000a5d;6;1
• 23:23:11 UTC - deastome.in.ua - GET /v20idaf/1869556c38c80ffc504a5702070e01570001000201570658040b0f5a510d0f06
• 23:23:21 UTC - deastome.in.ua - GET /v20idaf/4cda5d52507dc03c571b015a075f0206055a525a0106050901505d02515c0c57;1;2
• 23:23:23 UTC - deastome.in.ua - GET /v20idaf/4cda5d52507dc03c571b015a075f0206055a525a0106050901505d02515c0c57;1;2;1

 

MALWARE

• Flash exploit:   2014-06-14-Fiesta-EK-flash-exploit.swf   (Virus total link)
• Java exploit:   2014-06-14-Fiesta-EK-java-exploit.jar   (Virus total link)
• Silverlight exploit:   2014-06-14-Fiesta-EK-Silverlight-exploit.xap   (Virus total link)
• Malware payload:   2014-06-14-Fiesta-EK-malware-payload.exe   (Virus total link)

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

• 2014-06-14 23:20:42 UTC - 172.16.165.133:49708 - 64.202.116.151:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-06-14 23:20:42 UTC - 64.202.116.151:80 - 172.16.165.133:49708 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-06-14 23:20:43 UTC - 64.202.116.151:80 - 172.16.165.133:49710 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-06-14 23:20:43 UTC - 64.202.116.151:80 - 172.16.165.133:49710 - ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention (sid:2018226)
• 2014-06-14 23:21:25 UTC - 172.16.165.133:49752 - 64.202.116.151:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)

Sourcefire VRT ruleset:

• 2014-06-14 23:20:42 UTC - 172.16.165.133:49708 - 64.202.116.151:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
• 2014-06-14 23:20:43 UTC - 64.202.116.151:80 - 172.16.165.133:49710 - EXPLOIT-KIT Angler exploit kit Silverlight exploit download (sid:28612)
• 2014-06-14 23:21:25 UTC - 64.202.116.151:80 - 172.16.165.133:49752 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

NOTE: These Snort events were taken from Sguil on Security Onion

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-14-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-14-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.