2014-08-24 - FIESTA EK FROM 64.202.116.154 - SBZRSVI.DDNSKING.COM

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-08-24-Fiesta-EK-with-post-infection-traffic.pcap.zip
• ZIP file of the malware:  2014-08-24-Rerdom-example.zip

 

NOTES:

• This is a quick blog entry to show the latest change in Zemot/Rerdom callback domains.
• I wasn't able to grab the Fiesta EK malware payload from the infected VM, and this traffic has the same exploits from my previous blog entry on Fiesta.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 64.202.116.154 - sbzrsvi.ddnsking.com - Fiesta EK
• 181.136.220.15 - from-gunergs.ru - Zemot/Rerdom callback traffic
• 108.23.26.2 and 109.184.189.158 - oak-tureght.ru - Zemot/Rerdom callback traffic
• 96.248.32.30 - triple-bow.su - Zemot/Rerdom callback traffic
• 208.76.172.96 - additional callback on port 8080 = Zemot/Rerdom callback traffic

 

FIESTA EK:

• 01:06:53 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/counter.php?id=2
• 01:06:54 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/?2
• 01:06:55 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/4e1bda0d23296b4047125759565a0557045709595003005f0156575b57585100;112202;228
• 01:06:55 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/4749b1392c835ee95d525802500a060a04050c0256530302010452005108525d
• 01:06:55 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/282f12bafdf0dd564154445d03095752020a0a5d0550525a070b545f020b0305;4060129
• 01:06:56 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/185f144b0ff73ba45d51575d030f0151010a0d5d05560459040b535f020d5506;910
• 01:06:56 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/0471ebb1d8315d1353445c0a5759570200060f0a5100520a05075108565b0355;6
• 01:06:57 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/0471ebb1d8315d1353445c0a5759570200060f0a5100520a05075108565b0355;6;1
• 01:06:59 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/11ae487faf366d8552410a5e060302550103595e005a075d0402075c07015603;4
• 01:07:01 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/11ae487faf366d8552410a5e060302550103595e005a075d0402075c07015603;4;1
• 01:07:09 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/3e5fb71ad8315d1350155e5d500c045203570d5d5655015a0656535f510e5005;5
• 01:07:10 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/3e5fb71ad8315d1350155e5d500c045203570d5d5655015a0656535f510e5005;5;1
• 01:07:10 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/284dd5007b8fad75534a555f560e0503020a0c5f5057000b070b525d570c5154
• 01:07:12 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/7bc84be0133a62b5541a06030659500307505b030000550b02510501075b0454;1;2
• 01:07:16 UTC - sbzrsvi.ddnsking.com - GET /xfb65iy/7bc84be0133a62b5541a06030659500307505b030000550b02510501075b0454;1;2;1

 

POST-INFECTION TRAFFIC:

• 01:06:58 UTC - 172.16.165.133:49604 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:00 UTC - 172.16.165.133:49606 - 109.184.189.158:80 - oak-tureght.ru - GET /mod_articles-auth9565.6595/jquery/
• 01:07:01 UTC - 172.16.165.133:49608 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:02 UTC - 172.16.165.133:49609 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:03 UTC - 172.16.165.133:49610 - 109.184.189.158:80 - oak-tureght.ru - GET /mod_articles-auth9565.6595/jquery/
• 01:07:10 UTC - 172.16.165.133:49615 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:15 UTC - 172.16.165.133:49619 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:16 UTC - 172.16.165.133:49622 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:17 UTC - 172.16.165.133:49620 - 109.184.189.158:80 - oak-tureght.ru - GET /mod_articles-auth9565.6595/jquery/
• 01:07:18 UTC - 172.16.165.133:49623 - 181.136.220.15:80 - from-gunergs.ru - GET /b/shoe/54613
• 01:07:20 UTC - 172.16.165.133:49624 - 109.184.189.158:80 - oak-tureght.ru - GET /mod_articles-auth9565.6595/jquery/
• 01:08:16 UTC - 172.16.165.133:49157 - 108.23.26.2:80 - oak-tureght.ru - GET /mod_jshoppi-deny6328.4569/soft64.dll
• 01:08:19 UTC - 172.16.165.133:49159 - 96.248.32.30:80 - triple-bow.su - GET /b/eve/5d8bcdd89299304f5888aecf
• 01:09:19 UTC - 172.16.165.133:49160 - 96.248.32.30:80 - triple-bow.su - POST /b/opt/1F1D3DA5F8AB79C137B98456
• 01:09:20 UTC - 172.16.165.133:49161 - 96.248.32.30:80 - triple-bow.su - GET /b/letr/C336920B7141B5C1BE534856
• 01:09:20 UTC - 172.16.165.133:49162 - 208.76.172.96:8080 - 208.76.172.96:8080 - POST /b/opt/9E10807CEA289B06253A6691
• 01:09:30 UTC - 172.16.165.133:49163 - 208.76.172.96:8080 - 208.76.172.96:8080 - POST /b/opt/C2EF17BF16E43738D9F6CAAF
• 01:09:48 UTC - 172.16.165.133:49164 - 208.76.172.96:8080 - 208.76.172.96:8080 - POST /b/req/F49CD52404776EEECB659379
• 01:10:49 UTC - 172.16.165.133:49165 - 208.76.172.96:8080 - 208.76.172.96:8080 - POST /b/req/F49CD52404776EEECB659379

 

PRELIMINARY MALWARE ANALYSIS

RERDOM EXAMPLE:

File name:  UpdateFlashPlayer_e96b6afc.exe
File size:  156.0 KB ( 159744 bytes )
MD5 hash:  b97c14f436a08dfeb8a5fd3cd330b0a5
Detection ratio:  7 / 55
First submission:  2014-08-24 02:17:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9416efc91239accf7bef876a00e547a77b5170d5982969f1e08560eb622f169a/analysis/

 

SNORT EVENTS FOR THE POST-INFECTION TRAFFIC

Post-infection signature hits from the Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET POLICY or ET INFO events):

• ET TROJAN Win32/Zemot Checkin (sid:2018643)
• ET TROJAN Win32/Zemot Checkin (sid:2018644)
• ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
• ET TROJAN Win32/Zemot Config Download (sid:2018661)
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
• ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload (sid:2018914)
• GPL SHELLCODE x86 NOOP (sid:648)

Post-infection signature hits from the Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• [1:648:14] INDICATOR-SHELLCODE x86 NOOP
• [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-08-24-Fiesta-EK-with-post-infection-traffic.pcap.zip
• ZIP file of the malware:  2014-08-24-Rerdom-example.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.