2014-07-22 - FIESTA EK FROM 62.212.73.198 - EYMJJYEBO.MYFTP.ORG

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-07-22-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-07-22-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 62.212.73.198 - eymjjyebo.myftp.org - Fiesta EK
• 192.162.19.27 - tundra-reser.com - Post-infection traffic
• 46.173.171.13 - smokejuse.su - Post-infection traffic
• 109.87.104.209 - vision-vaper.su - Post-infection traffic
• 198.57.234.25 - 198.57.234.25 - Post-infection traffic on port 8080
• 37.140.195.101 - 37.140.195.101 - Post-infection traffic on port 443
• 79.143.179.6 - 79.143.179.6 - Post-infection traffic on port 443
• 192.162.19.34 - various search domains - Fake search engines where click-fraud traffic begins

 

FIESTA EK:

• 00:56:20 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /lt9qjvbzdzbvjlqhcwifllfcr8ylk0alt89mv0tarrqsrmtr
• 00:56:22 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/205acf435b1df8204147535a515d05050506065358525603090506020704025106;118800;94
• 00:56:23 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/7b3566c7f41849595e075f0e040d5201005400070d0201070c5700565254555503
• 00:56:24 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/1a0ffa36af1794c7420d465d545a0200065703545d5551060a5403050203055405;4060531
• 00:56:26 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/612f8104308db1e25541595d0a0a010201070154030552040d0401055c53065601;4
• 00:56:27 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/612f8104308db1e25541595d0a0a010201070154030552040d0401055c53065601;4;1
• 00:56:37 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/255d90f4a984e05851455e5f0b0b57020503065602040404090006075d52505606;6
• 00:56:39 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/255d90f4a984e05851455e5f0b0b57020503065602040404090006075d52505606;6;1
• 00:56:40 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/3868157aa984e05850485d03030e0657040e050a0a015551080d055b5557010307;5
• 00:56:41 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/3868157aa984e05850485d03030e0657040e050a0a015551080d055b5557010307;5;1
• 00:56:42 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/5526e4e50df69ac55447530d570f5403020301045e0007050e0001550156535701
• 00:56:44 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/55c7ecf896faedba564d060c5758570e020350055e5704080e0050540101505a01;1;2
• 00:56:49 UTC - 62.212.73.198 - eymjjyebo.myftp.org - GET /q4vprom/55c7ecf896faedba564d060c5758570e020350055e5704080e0050540101505a01;1;2;1

 

POST-INFECTION TRAFFIC:

• 00:56:28 UTC - 192.168.204.234:50591 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:39 UTC - 192.168.204.234:50595 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:39 UTC - 192.168.204.234:50596 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:41 UTC - 192.168.204.234:50607 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:42 UTC - 192.168.204.234:50608 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:49 UTC - 192.168.204.234:50631 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:50 UTC - 192.168.204.234:50632 - 192.162.19.27:80 - tundra-reser.com - GET /b/shoe/54609
• 00:56:51 UTC - 192.168.204.234:50634 - 46.173.171.130:80 - smokejuse.su - GET /mod_articles/jquery/
• 00:57:01 UTC - 192.168.204.234:50635 - 46.173.171.130:80 - smokejuse.su - GET /mod_articles/jquery/
• 00:57:04 UTC - 192.168.204.234:50636 - 46.173.171.130:80 - smokejuse.su - GET /mod_articles/jquery/
• 00:57:12 UTC - 192.168.204.234:50637 - 46.173.171.130:80 - smokejuse.su - GET /mod_articles/jquery/
• 00:58:17 UTC - 192.168.204.234:49159 - 46.173.171.130:80 - smokejuse.su - GET /mod_jshopping/soft32.dll
• 00:59:16 UTC - 192.168.204.234:49161 - 109.87.104.209:80 - vision-vaper.su - POST /b/opt/D2D5C9EE08CC59C56AAB4EAB
• 00:59:17 UTC - 192.168.204.234:49162 - 109.87.104.209:80 - vision-vaper.su - GET /b/letr/6D3F1CF8F48E929596E985FB
• 00:59:17 UTC - 192.168.204.234:49163 - 198.57.234.25:8080 - 198.57.234.25:8080 - POST /b/opt/A826D37B3A755B7958124C17
• 00:59:18 UTC - 192.168.204.234:49164 - 198.57.234.25:8080 - 198.57.234.25:8080 - GET /b/letr/D2DD5F9869F28A390B959D57
• 00:59:19 UTC - 192.168.204.234:49165 - 37.140.195.101:443 - POST /b/opt/B06A4C6B175FCF337538D85D
• 00:59:20 UTC - 192.168.204.234:49166 - 37.140.195.101:443 - POST /b/opt/CDD2E47A8DBD0203EFDA156D
• 00:59:21 UTC - 192.168.204.234:49167 - 37.140.195.101:443 - GET /b/letr/4FCAC42489C38D49EBA49A27
• 00:59:21 UTC - 192.168.204.234:49168 - 79.143.179.6:443 - POST /b/opt/B823442A538AB1F131EDA69
• 00:59:22 UTC - 192.168.204.234:49169 - 79.143.179.6:443 - POST /b/opt/838102011185ADA473E2BACA
• 00:59:38 UTC - 192.168.204.234:49170 - 79.143.179.6:443 - POST /b/req/D001F348025E3EAF603929C1
• 00:59:59 UTC - 192.168.204.234:49171 - 79.143.179.6:443 - POST /b/req/7AE8BBF1D422635CB6457432
• 01:00:00 UTC - 192.168.204.234:49173 - 192.162.19.34:80 - aquariums-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49172 - 192.162.19.34:80 - aquariums-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49174 - 192.162.19.34:80 - hilton-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49180 - 192.162.19.34:80 - blues-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49178 - 192.162.19.34:80 - cleopatra-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49175 - 192.162.19.34:80 - report-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49176 - 192.162.19.34:80 - clubs-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49177 - 192.162.19.34:80 - country-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49179 - 192.162.19.34:80 - recommendation-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49181 - 192.162.19.34:80 - companies-search.com - GET /
• 01:00:00 UTC - 192.168.204.234:49182 - 192.162.19.34:80 - clubs-search.com - GET /

 

PRELIMINARY MALWARE ANALYSIS

The Flash, Java, and Silverlight exploits are the same as previous Fiesta EK traffic from my 2014-07-20 blog entry ( link ).

• MD5 hash: cfb54a37495bb73b8bf7022d5700d0bf   -   2014-07-22-Fiesta-EK-flash-exploit.swf   -   Virus Total link
• MD5 hash: 648cc2a876d6028194332af0ac9fcdf6   -   2014-07-22-Fiesta-EK-silverlight-exploit.xap   -   Virus Total link
• MD5 hash: 1cd0537fbde21b9a53559f4efd4274f1   -   2014-07-22-Fiest-EK-java-exploit.jar   -   Virus Total link

 

MALWARE PAYLOAD

File name:  2014-07-22-Fiesta-EK-malware-payload.exe
File size:  88.0 KB ( 90120 bytes )
MD5 hash:  829dd823d8e1dee4c254571941777486
Detection ratio:  5 / 53
First submission:  2014-07-22 01:57:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/27069a52f4c144550cff83c81e14f5497ff3c016cf536e63b406ae7589bae755/analysis/
Malwr link:  https://malwr.com/analysis/OTlkODc5MTY0OTgwNGNkYjg3ODI2Y2FmNTBkYTA1MzE/

 

FOLLOW-UP MALWARE (RERDOM):

File name:  UpdateFlashPlayer_8c8e05ce.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  a6530c999d7178d0f99da6aa4574f9f6
Detection ratio:  8 / 53
First submission:  2014-07-21 18:53:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b847d3fe7a6f26f49c3420d136ef6e2f004542f1b6df288e865e68c947b2096e/analysis/
Malwr link:  https://malwr.com/analysis/YjliOTg1OTc0YmRiNGM2MDg1NmRjMzVhYWYxNDMwYTE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO and ET POLICY rules):

• 2014-07-22 00:56:22 UTC - 192.168.204.234:50576 - 62.212.73.198:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-07-22 00:56:23 UTC - 62.212.73.198:80 - 192.168.204.234:50576 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-07-22 00:56:24 UTC - 62.212.73.198:80 - 192.168.204.234:50586 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-07-22 00:56:28 UTC - 192.168.204.234:50591 - 192.162.19.27:80 - ET TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2018643)
• 2014-07-22 00:56:42 UTC - 192.168.204.234:50603 - 62.212.73.198:80 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain (sid:2016582)
• 2014-07-22 00:56:42 UTC - 192.168.204.234:50603 - 62.212.73.198:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 2014-07-22 00:56:43 UTC - 62.212.73.198:80 - 192.168.204.234:50603 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)
• 2014-07-22 00:56:51 UTC - 192.168.204.234:50634 - 46.173.171.130:80 - ET TROJAN Win32/Zemot Checkin (sid:2018644)
• 2014-07-22 00:56:51 UTC - 46.173.171.130:80 - 192.168.204.234:50634 - ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid:2018572)
• 2014-07-22 00:56:51 UTC - 46.173.171.130:80 - 192.168.204.234:50634 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 2014-07-22 00:58:17 UTC - 192.168.204.234:49159 - 46.173.171.130:80 - ET TROJAN Win32/Zemot Config Download (sid:2018661)
• 2014-07-22 00:59:16 UTC - 192.168.204.234:49161 - 109.87.104.209:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 2014-07-22 00:56:20 UTC - 8.8.8.8:53 - 192.168.204.234:59759 - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
• 2014-07-22 00:56:23 UTC - 192.168.204.234:50576 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:23 UTC - 192.168.204.234:50577 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:24 UTC - 192.168.204.234:50586 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:26 UTC - 192.168.204.234:50589 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:28 UTC - 192.168.204.234:50590 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:29 UTC - 192.168.204.234:58665 - 8.8.8.8:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• 2014-07-22 00:56:38 UTC - 192.168.204.234:50593 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:39 UTC - 192.168.204.234:50594 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:40 UTC - 192.168.204.234:50604 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:42 UTC - 192.168.204.234:50606 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:43 UTC - 192.168.204.234:50603 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:44 UTC - 192.168.204.234:50628 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:50 UTC - 192.168.204.234:50630 - 62.212.73.198:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt
• 2014-07-22 00:56:51 UTC - 46.173.171.130:80 - 192.168.204.234:50634 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-07-22 00:56:51 UTC - 46.173.171.130:80 - 192.168.204.234:50634 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-07-22 00:56:52 UTC - 46.173.171.130:80 - 192.168.204.234:50634 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-07-22 00:57:02 UTC - 46.173.171.130:80 - 192.168.204.234:50635 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-07-22 00:57:02 UTC - 46.173.171.130:80 - 192.168.204.234:50635 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-07-22 00:57:03 UTC - 46.173.171.130:80 - 192.168.204.234:50635 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-07-22 00:57:05 UTC - 46.173.171.130:80 - 192.168.204.234:50636 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-07-22 00:57:05 UTC - 46.173.171.130:80 - 192.168.204.234:50636 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-07-22 00:57:05 UTC - 46.173.171.130:80 - 192.168.204.234:50636 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-07-22 00:57:13 UTC - 46.173.171.130:80 - 192.168.204.234:50637 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-07-22 00:57:13 UTC - 46.173.171.130:80 - 192.168.204.234:50637 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-07-22 00:57:14 UTC - 46.173.171.130:80 - 192.168.204.234:50637 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-07-22 00:57:57 UTC - 192.168.204.234:62835 - 8.8.8.8:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• 2014-07-22 00:58:21 UTC - 192.168.204.234:61459 - 8.8.8.8:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• 2014-07-22 00:59:16 UTC - 192.168.204.234:49161 - 109.87.104.209:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-22 00:59:17 UTC - 192.168.204.234:49162 - 109.87.104.209:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-22 00:59:17 UTC - 192.168.204.234:49163 - 198.57.234.25:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-07-22 00:59:19 UTC - 192.168.204.234:49164 - 198.57.234.25:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-07-22-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-07-22-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.