2014-08-26 - FIESTA EK FROM 64.202.116.154 - WKLOCKES.IN.UA

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-08-26-Fiesta-EK-pcaps.zip
• ZIP file of the malware:  2014-08-26-Fiesta-EK-malware.zip

 

NOTES:

• The infected VM went to a completely white screen with the following message:
  
  
  
  
• The message reads:   Windows locked! Your ID is 0x658b5e3b. Send 250 WMZ to Z268598233219 and follow instructions.
• I was able to reboot the infected Windows VM in safe mode without any issues.
• Sandbox analysis of the malware payload generated only one signature hit: ETPRO TROJAN Win32/Steroope.B checkin (sid:2808532)

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 72.9.159.119 - www.dbstalk.com - Compromised website
• 176.102.38.75 - similarki.com - Redirect
• 64.202.116.154 - wklockes.in.ua - Fiesta EK

 

COMPROMISED WEBSITE AND REDIRECT:

• 11:20:42 UTC - 192.168.204.139:49641 - 72.9.159.119:80 - www.dbstalk.com - GET /page/index.html
• 11:20:49 UTC - 192.168.204.139:49647 - 176.102.38.75:80 - similarki.com - GET /Hv5NjknDdgy.js?VrTopRNsW=7c5f580baeb9f4a84d0fe4

 

FIESTA EK:

• 11:20:50 UTC - wklockes.in.ua - GET /igf35wx/2
• 11:20:52 UTC - wklockes.in.ua - GET /igf35wx/2bc0cd0538c0c85e4115050b515f01030054530258505205095750560052540751;118800;94
• 11:20:53 UTC - wklockes.in.ua - GET /igf35wx/3d1b959797c579275a015d590b0e08010152015002015b07085102045a035d0550
• 11:20:54 UTC - wklockes.in.ua - GET /igf35wx/6d65f77ccccaa4b94508400e540c0655045206075d0355530d5105530501535155;4060531
• 11:20:54 UTC - wklockes.in.ua - GET /igf35wx/2de5dca29f8b306f5e0d070e56585004005255075f570302095156530755050051;910
• 11:20:56 UTC - wklockes.in.ua - GET /igf35wx/20f476c2ca59d02651400d0f050d5204000656060c020102090555525400070051;6
• 11:21:08 UTC - wklockes.in.ua - GET /igf35wx/20f476c2ca59d02651400d0f050d5204000656060c020102090555525400070051;6;1
• 11:21:12 UTC - wklockes.in.ua - GET /igf35wx/5cfb89aeba3324a956130d590a02505307555650030d03550e5655045b0f055753;4
• 11:21:17 UTC - wklockes.in.ua - GET /igf35wx/5cfb89aeba3324a956130d590a02505307555650030d03550e5655045b0f055753;4;1
• 11:21:42 UTC - wklockes.in.ua - GET /igf35wx/0953f961ca59d02653495e0854020707020f05015d0d54010b0c0655050f520353;5
• 11:21:48 UTC - wklockes.in.ua - GET /igf35wx/0953f961ca59d02653495e0854020707020f05015d0d54010b0c0655050f520353;5;1
• 11:21:49 UTC - wklockes.in.ua - GET /igf35wx/602ff4976e2baabb5742535d540f0801040602545d005b070d05010005025d0555
• 11:21:52 UTC - wklockes.in.ua - GET /igf35wx/0a4b5672f527ddc453195159070d0604025704500e0255020b5407045600530053;1;2
• 11:22:13 UTC - wklockes.in.ua - GET /igf35wx/0a4b5672f527ddc453195159070d0604025704500e0255020b5407045600530053;1;2;1

 

POST-INFECTION TRAFFIC (FROM THE SANDBOX ANALYSIS):

• Contacted 353 different IP addresses over UDP port 19077, UDP port 48754, and TCP port 48754

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-26-Fiesta-EK-flash-exploit.swf
File size:  9.9 KB ( 10129 bytes )
MD5 hash:  094590df1b3069fdded1f54578711f92
Detection ratio:  5 / 54
First submission:  2014-08-22 12:59:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f9c4824f94199d22836ff2efa40013c771532e1d9db797dc4dac71d32b8d2ccc/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-26-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5121 bytes )
MD5 hash:  1a7297d283505c4f7fd536d8801034e8
Detection ratio:  9 / 47
First submission:  2014-08-22 11:40:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1b10c2a30b45ad4c72d905a0e06ab4d1c50832734ecda199f276a4904e9cda09/analysis/

 

PDF EXPLOIT:

File name:  2014-08-26-Fiesta-EK-pdf-exploit.pdf
File size:  6.9 KB ( 7034 bytes )
MD5 hash:  87163b2d2eedba33168a055c57ae0995
Detection ratio:  5 / 55
First submission:  2014-08-26 13:54:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bc3a7cde1a3ada00075a783bb99d316d81bbb8b064b216a964ee6f534653e290/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-26-Fiesta-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22310 bytes )
MD5 hash:  e68b1d99c0874d163a13aad634219fa0
Detection ratio:  5 / 53
First submission:  2014-08-22 17:04:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d82f544a10a932c1ab947bd481836d770a6704edc5fc5b1130255ed57a3a9d19/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-26-Fiesta-EK-malware-payload.exe
File size:  345.2 KB ( 353487 bytes )
MD5 hash:  ab755021eff3c0b73b3bd2b8ee98aaaa
Detection ratio:  19 / 53
First submission:  2014-08-26 13:55:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/75e02c1dfd52dc2ee10224b6bc701acf945b16afaa30620185abac9ff91dc82d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 11:20:49 UTC - 192.168.204.139:49647 - 176.102.38.75:80 - ET CURRENT_EVENTS Fiesta EK randomized javascript Gate Jul 18 2014 (sid:2018741)
• 11:20:52 UTC - 192.168.204.139:49654 - 64.202.116.154:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 11:20:53 UTC - 64.202.116.154:80 - 192.168.204.139:49654 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 11:20:55 UTC - 64.202.116.154:80 - 192.168.204.139:49662 - ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved (sid:2014316)
• 11:20:55 UTC - 64.202.116.154:80 - 192.168.204.139:49662 - ET WEB_CLIENT PDF With Embedded File (sid:2011507)
• 11:20:55 UTC - 64.202.116.154:80 - 192.168.204.139:49662 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
• 11:20:55 UTC - 64.202.116.154:80 - 192.168.204.139:49662 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (sid:2018408)
• 11:20:55 UTC - 64.202.116.154:80 - 192.168.204.139:49662 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) (sid:2016001)
• 11:20:54 UTC - 64.202.116.154:80 - 192.168.204.139:49663 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 11:21:49 UTC - 192.168.204.139:49694 - 64.202.116.154:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 11:20:52 UTC - 192.168.204.139:various - 64.202.116.154:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (x13)
• 11:20:55 UTC - 64.202.116.154:80 - 192.168.204.139:49662 - [1:23041:4] FILE-PDF EmbeddedFile contained within a PDF

 

SNORT EVENTS SEEN FROM PCAP OF MALWARE PAYLOAD SANDBOX ANALYSIS

• 192.168.204.139:49790 - 146.185.220.111:19077 - ETPRO TROJAN Win32/Steroope.B checkin (sid:2808532)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect:

 

Post-infection traffic (from sandbox analysis) - example of UDP traffic to port 19077:

 

Post-infection traffic (from sandbox analysis) - example of UDP traffic to port 48754:

 

Post-infection traffic (from sandbox analysis) - example of TCP traffic to port 48754:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-08-26-Fiesta-EK-pcaps.zip
• ZIP file of the malware:  2014-08-26-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.