Malware-Traffic-Analysis.net - 2014-06-21

2014-06-21 - FIESTA EK ON 64.202.116.151 - FERZYPSY.IN.UA

ASSOCIATED FILES:

ZIP of PCAP(s): 2014-06-21-Fiesta-EK-both-pcaps.zip
ZIP of the malware: 2014-06-21-Fiesta-EK-malware.zip

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

64.202.116.151 - ferzypsy.in.ua - Fiesta EK
various IP addresses - various domains - Post-infection traffic from sandbox analysis (see below)

FIESTA EK:

21:22:23 - localhost:49510 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/1
21:22:26 - localhost:49510 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/6f4b10a3ceb82ed545115259000b550104500c59055251080355555757060403;120000;38
21:22:26 - localhost:49510 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/053cb112106198c343594558530a050002030b58565301090506525604075402;5110411
21:22:26 - localhost:49512 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/7a9c2cd735a018865411525803585005055701580601540c0252585654550107;6
21:22:27 - localhost:49512 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/7a9c2cd735a018865411525803585005055701580601540c0252585654550107;6;1
21:22:34 - localhost:49512 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/334f70b035a0188650435f5d060b560201050c5d0352520b0600555351060700;5
21:22:34 - localhost:49512 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/334f70b035a0188650435f5d060b560201050c5d0352520b0600555351060700;5;1
21:22:35 - localhost:49513 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/36b70ec8ef50c84f59580e0c015e570a01005a0c040753030605030256530608
21:22:35 - localhost:49513 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/587b1295a5d0a52d5a57555900090d07070e0f590550090e000b565757045c56
21:22:35 - localhost:49514 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/587b1295a5d0a52d5a57555900090d07070e0f590550090e000b565757045c56
21:22:35 - localhost:49513 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/32d21adbfeab2720504a0109005a505001045c09050354590601050757570152;1;3
21:22:36 - localhost:49513 - 64.202.116.151:80 - ferzypsy.in.ua - GET /nzrems2/32d21adbfeab2720504a0109005a505001045c09050354590601050757570152;1;3;1

SANDBOX ANALYSIS OF MALWARE PAYLOAD FROM MALWR.COM:

21:59:23 - 192.168.56.102:1036 - 176.36.149.220:80 - gummiringes.com - GET /b/shoe/54602
21:59:23 - 192.168.56.102:1037 - 176.36.149.220:80 - gummiringes.com - GET /b/shoe/54602
21:59:26 - 192.168.56.102:1038 - 37.57.26.167:80 - proactives-a.com - GET /pho-caguestbooks-a78.23/jquery/
22:00:11 - 192.168.56.102:1031 - 31.169.22.123:80 - proactives-a.com - GET /uni-terevolutions-f74.67/soft32.dll
22:00:16 - 192.168.56.102:1033 - 176.36.149.220:80 - vision-vaper.su - GET /b/eve/b35c8c01b86dd3f4aecf28fd
22:01:15 - 192.168.56.102:1038 - 176.36.149.220:80 - vision-vaper.su - POST /b/opt/F1E10E4D08316E6D03003198
22:01:15 - 192.168.56.102:1039 - 176.36.149.220:80 - vision-vaper.su - GET /b/letr/D4051FEFFE1BAE98F52AF16D
22:01:29 - 192.168.56.102:1040 - 27.254.40.105:8080 - 27.254.40.105:8080 - POST /b/opt/DC967C66376FAB813C5EF474
22:01:47 - 192.168.56.102:1041 - 27.254.40.105:8080 - 27.254.40.105:8080 - POST /b/req/2A280E95C302C273C8339D86
22:02:08 - 192.168.56.102:1042 - 27.254.40.105:8080 - 27.254.40.105:8080 - POST /b/req/622C5C558ABC319B818D6E6E
22:02:11 - 192.168.56.102:1044 - 192.162.19.34:80 - ownership-search.com - GET /
22:02:11 - 192.168.56.102:1046 - 192.162.19.34:80 - projects-search.com - GET /
22:02:11 - 192.168.56.102:1047 - 192.162.19.34:80 - services-search.com - GET /

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name: 2014-06-21-Fiesta-EK-flash-exploit.swf
File size: 9.8 KB ( 10086 bytes )
MD5 hash: e811566df31461d01701f6fed593499c
Detection ratio: 0 / 53
First submission: 2014-06-21 22:05:55 UTC
VirusTotal link: https://www.virustotal.com/en/file/95629ba84278981f84681a935cc26b47d250bfd7b15a1fb031e7343666f48560/analysis/

File name: 2014-06-21-Fiesta-EK-flash-exploit-uncompressed.swf
File size: 15.4 KB ( 15734 bytes )
MD5 hash: d40f48d1248d5e84acaf4b79d7c83d56
Detection ratio: 0 / 53
First submission: 2014-06-21 22:06:11 UTC
VirusTotal link: https://www.virustotal.com/en/file/2fb84c6050c27a2a4cc7417a6e0afe51407f97f1c095806d84d91500bb160919/analysis/

JAVA EXPLOIT

File name: 2014-06-21-Fiesta-EK-java-exploit.jar
File size: 7.7 KB ( 7895 bytes )
MD5 hash: 296533af96774e8c63aad8ca7f74a5a4
Detection ratio: 2 / 54
First submission: 2014-06-20 14:17:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/997869e82e5163ebebc2ca01412d8eb91b2ad05b82eea52a78f633530edea053/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-06-21-Fiesta-EK-silverlight-exploit.xap
File size: 10.9 KB ( 11177 bytes )
MD5 hash: c87f1b6ae7c4a695de2ab56682774888
Detection ratio: 1 / 54
First submission: 2014-06-21 22:06:50 UTC
VirusTotal link: https://www.virustotal.com/en/file/63819995c189f68bd97844ff8ac6abfa8927a1deabf6e409f5f5dc7bc119f722/analysis/

MALWARE PAYLOAD

File name: 2014-06-21-Fiesta-EK-malware-payload.exe
File size: 76.0 KB ( 77832 bytes )
MD5 hash: 137323a9603aca4a91702a59e5e171b0
Detection ratio: 1 / 54
First submission: 2014-06-21 21:55:44 UTC
VirusTotal link: https://www.virustotal.com/en/file/9b90e923852b8a3ae850ad86d2197a1c1527f7686f0ca4e80ff8b49baab88a3b/analysis/
Malwr link: https://malwr.com/analysis/NjUwNWRlNWVmOGM5NDI0MzljMjIwZDFlYjU2OTEyM2E/

FOLLOW-UP MALWARE

File name: exe.exe
File size: 148.0 KB ( 151552 bytes )
MD5 hash: 402d70d5f2b4cc83291d8a44fbc81386
Detection ratio: 1 / 53
First submission: 2014-06-21 22:04:40 UTC
VirusTotal link: https://www.virustotal.com/en/file/3a67ed1bd1fe578854edd2f7b78bd9782b5c2823ccaa7a852937ea804c8e7eaf/analysis/
Malwr link: https://malwr.com/analysis/MmE1NDQ2YWZmOTYzNDNlMzk4NjM3MzI3ODBjYjE0Yzg/

SNORT EVENTS - INFECTION TRAFFIC

Emerging Threats and ETPRO rulesets:

2014-06-21 21:22:26 UTC - 64.202.116.151:80 - 172.16.165.132:49510 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
2014-06-21 21:22:26 UTC - 172.16.165.132:49510 - 64.202.116.151:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
2014-06-21 21:22:26 UTC - 64.202.116.151:80 - 172.16.165.132:49510 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
2014-06-21 21:22:35 UTC - 172.16.165.132:49513 - 64.202.116.151:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
2014-06-21 21:22:35 UTC - 64.202.116.151:80 - 172.16.165.132:49513 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)

Sourcefire VRT ruleset:

2014-06-21 21:22:26 UTC - 172.16.165.132:49510 - 64.202.116.151:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
2014-06-21 21:22:26 UTC - 64.202.116.151:80 - 172.16.165.132:49510 - EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (sid:28612)
2014-06-21 21:22:35 UTC - 64.202.116.151:80 - 172.16.165.132:49513 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

NOTE: These Snort events were taken from Sguil on Security Onion

SNORT EVENTS - SANDBOX ANALYSIS OF MALWARE PAYLOAD

Emerging Threats and ETPRO rulesets:

192.168.56.102:1036 - 176.36.149.220:80 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2807742)
37.57.26.167:80 - 192.168.56.102:1038 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
192.168.56.102:1033 - 176.36.149.220:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
176.36.149.220:80 - 192.168.56.102:1033 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
192.168.56.102:1038 - 176.36.149.220:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)

Sourcefire VRT ruleset:

37.57.26.167:80 - 192.168.56.102:1038 - MALWARE-CNC Win.Trojan.Dofoil outbound connection (sid:28809)
192.168.56.102:1033 - 176.36.149.220:80 - MALWARE-CNC Win.Trojan.Cidox variant outbound connection (sid:29356)

NOTE: These Snort events were generated by using tcpreplay to replay the PCAP on Security Onion

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAPs: 2014-06-21-Fiesta-EK-both-pcaps.zip
ZIP of the malware: 2014-06-21-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.