2014-06-26 - FIESTA EK ON 64.202.116[.]151 - FTPNROCK[.]IN[.]UA

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-06-26-Fiesta-EK-traffic.pcap.zip
• 2014-06-26-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

• 23:27:26 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/2
• 23:27:31 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/5be00b59d64fcb064615030b02590d0c06535d0b040005020051045351000c0f;120000;38
• 23:27:31 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/75dda92b08967d104459125f53020a5704045c5f555b025902060507005b0b54;5110411
• 23:27:38 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /favicon.ico
• 23:27:38 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/5226814e2d57fd555642590d0a0a0c5006030a0d0c53045e0001535559530d53;6
• 23:27:43 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/5226814e2d57fd555642590d0a0a0c5006030a0d0c53045e0001535559530d53;6;1
• 23:27:43 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/0d4458ca2d57fd5553145f0f07035b5403550c0f015a535a05575557545a5a57;5
• 23:27:47 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/0d4458ca2d57fd5553145f0f07035b5403550c0f015a535a05575557545a5a57;5;1
• 23:27:48 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/1a8b1e91f7a72d9c5b0f5459035e0104025000590507090a0452590150070007
• 23:27:50 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/2066aedb8ee90d335342570d535e5c5701010e0d550754590703575500075d54
• 23:27:51 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/15245fe5512102015e5a500f075d5d0002040a0f0104550e0406535754040457
• 23:27:51 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/15245fe5512102015e5a500f075d5d0002040a0f0104550e0406535754040457
• 23:27:51 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/2066aedb8ee90d335342570d535e5c5701010e0d550754590703575500075d54
• 23:27:52 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/2066aedb8ee90d335342570d535e5c5701010e0d550754590703575500075d54
• 23:27:53 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/2066aedb8ee90d335342570d535e5c5701010e0d550754590703575500075d54
• 23:27:54 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/1a8b1e91f7a72d9c5b0f5459035e0104025000590507090a0452590150070007
• 23:27:54 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/ratshp.class
• 23:27:54 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/1a8b1e91f7a72d9c5b0f5459035e0104025000590507090a0452590150070007
• 23:27:55 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/ratshp.class
• 23:28:01 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/32be7e9d116700365c5d005e055e015100035a5e0307095f0601030656075b56
• 23:28:01 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/32be7e9d116700365c5d005e055e015100035a5e0307095f0601030656075b56
• 23:28:03 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/3ab37172e65cc2f350190708050a0f0700505a08035307090652035056530e04;1;3
• 23:28:07 UTC - 64.202.116[.]151:80 - ftpnrock[.]in[.]ua - GET /nzrems2/3ab37172e65cc2f350190708050a0f0700505a08035307090652035056530e04;1;3;1

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-26-Fiesta-EK-flash-exploit.swf
File size:  9,986 bytes
MD5 hash:  57952dff4d59c0ede13ce682ea5b59df
Detection ratio:  0 / 54
First submission:  2014-06-24 21:54:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/71d98b3fa03c00ae39ea50fc1c6ec71174bf058a931e43d83dcdf4759dc0b891/analysis/

File name:  2014-06-26-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15,659 bytes
MD5 hash:  080e9424e315a2b7b1a24801d6c1907f
Detection ratio:  0 / 54
First submission:  2014-06-28 19:08:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/57d5d815d31a9baf14f5187c7562475b7502fca230de9909d786921aa80e61c3/analysis/

 

JAVA EXPLOIT

File name:  2014-06-26-Fiesta-EK-java-exploit.jar
File size:  7,902 bytes
MD5 hash:  fc7a679cc8b91631d9efad6ced945b86
Detection ratio:  6 / 54
First submission:  2014-06-28 19:08:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3a85c85d4c34d595e4da1e7fb145acf853ebcf81b7a18a6d83165be22528d48f/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-26-Fiesta-EK-silverlight-exploit.xap
File size:  11,968 bytes
MD5 hash:  9455541d20fa13b35ee6f1e8732a03f7
Detection ratio:  0 / 54
First submission:  2014-06-24 16:05:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/48a08e87bf8be6d65f273122b6ba8f823aa35537b1fb0ef7829553939df5e143/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-26-Fiesta-EK-malware-payload.exe
File size:  169,984 bytes
MD5 hash:  29fd1f436712245aa77826a457bbfa59
Detection ratio:  22 / 54
First submission:  2014-06-27 02:18:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e4783e389e33430d18dc343b8a4642a6c75b972d526d89195ba826f563526c37/analysis/

 

Click here to return to the main page.