2014-08-31 - FIESTA EK FROM 64.202.116.154 - WIEZERSF.IN.UA

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-08-31-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-31-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 108.163.248.234 - forum.duelingnetwork.com - Compromised website
• 75.102.9.195 - informuos.com - Redirect
• 64.202.116.154 - wiezersf.in.ua - Fiesta EK
• various IP addresses - various domains - Post-infection traffic

 

COMPROMISED WEBSITE AND REDIRECT:

• 00:43:39 UTC - 172.16.165.133:50031 - 108.163.248.234:80 - forum.duelingnetwork.com - GET /
• 00:43:42 UTC - 172.16.165.133:50038 - 75.102.9.195:80 - informuos.com - GET /9706AeCh.js?UVv=5b45f12d9a34d16a1

 

FIESTA EK:

• 00:43:44 UTC - wiezersf.in.ua - GET /8v532c1/2
• 00:43:45 UTC - wiezersf.in.ua - GET /8v532c1/0a3f4e0fefe479bc4316555d065e05550059005d0007005d0555035402005255;112202;228
• 00:43:45 UTC - wiezersf.in.ua - GET /8v532c1/25f06164e04e4c155b500a0b040a0307020d550b0253060f0701560200545407
• 00:43:46 UTC - wiezersf.in.ua - GET /8v532c1/3ee20726313dcfaa40091309020c0705035d56090455020d0651550006525005;4060129
• 00:43:46 UTC - wiezersf.in.ua - GET /8v532c1/74113073c33a29585b5d530a010b0200070c020a075207080200010305555500;910
• 00:43:55 UTC - wiezersf.in.ua - GET /8v532c1/023499d18a98da4c5342580f0b025102000a000f0d5b540a050603060f5c0605;4
• 00:43:58 UTC - wiezersf.in.ua - GET /8v532c1/023499d18a98da4c5342580f0b025102000a000f0d5b540a050603060f5c0605;4;1
• 00:43:59 UTC - wiezersf.in.ua - GET /8v532c1/5b63579c14fc4fef56125d08070c0c50055a0508015509580056060103525b50;5
• 00:44:02 UTC - wiezersf.in.ua - GET /8v532c1/5b63579c14fc4fef56125d08070c0c50055a0508015509580056060103525b50;5;1
• 00:44:03 UTC - wiezersf.in.ua - GET /8v532c1/41f97d65b742bf8955430702055f0306040955020306060e0105560b01015406
• 00:44:03 UTC - wiezersf.in.ua - GET /8v532c1/4573442f14fc4fef57455c08060f0755040d04080056025d0101070102515055;6
• 00:44:06 UTC - wiezersf.in.ua - GET /8v532c1/4573442f14fc4fef57455c08060f0755040d04080056025d0101070102515055;6;1
• 00:44:07 UTC - wiezersf.in.ua - GET /8v532c1/5c2be2fcdff77049561b575957095350055b0159515056580057025053570450;1;2
• 00:44:09 UTC - wiezersf.in.ua - GET /8v532c1/5c2be2fcdff77049561b575957095350055b0159515056580057025053570450;1;2;1

 

POST-INFECTION TRAFFIC:

• 00:43:58 UTC - 172.16.165.133:50127 - 46.63.66.102:80 - jufer-muirer.su - GET /b/shoe/54616   [repeats several times]
• 00:44:00 UTC - 172.16.165.133:50136 - 178.72.151.199:80 - quret-huler.su - GET /mod_articles-authl9.12/jquery/   [repeats x4]
• 00:47:59 UTC - 172.16.165.133:50160 - 178.72.151.199:80 - quret-huler.su - GET /mod_articles-authl9.12/ajax/   [repeats x4]
• 00:48:04 UTC - 172.16.165.133:50162 - 195.114.147.96:80 - kinure-desrt.su - GET /b/eve/02bf938f935a58e36f4936ae
• 00:49:07 UTC - 172.16.165.133:50165 - 5.166.193.211:80 - kinure-desrt.su - POST /b/opt/5FF681DE9FC3EBF00E26209C
• 00:49:08 UTC - 172.16.165.133:50166 - 5.166.193.211:80 - kinure-desrt.su - GET /b/letr/1EA1A92B4ED92CE8DF3CE784
• 00:49:08 UTC - 172.16.165.133:50167 - 63.247.95.50:8080 - 63.247.95.50:8080 - POST /b/opt/FCC14647A7DBE540363E2E2C
• 00:49:09 UTC - 172.16.165.133:50168 - 63.247.95.50:8080 - 63.247.95.50:8080 - GET /b/letr/6F7797A9F8BD61E86958AA84
• 00:49:10 UTC - 172.16.165.133:50169 - 122.155.167.122:8080 - 122.155.167.122:8080 - POST /b/opt/A25489AB5292C9E4C3770288
• 00:49:30 UTC - 172.16.165.133:50170 - 122.155.167.122:8080 - 122.155.167.122:8080 - POST /b/req/A1D875FEDFBD566E4E589D02
• 00:49:53 UTC - 172.16.165.133:50171 - 122.155.167.122:8080 - 122.155.167.122:8080 - GOAWAY

Click-fraud traffic begins:

• 00:49:58 UTC - 172.16.165.133:50172 - 46.161.41.220:80 - leafegrt.com - GET /
• 00:49:58 UTC - 172.16.165.133:50173 - 46.161.41.220:80 - extremely-ppa.com - GET /
• 00:49:58 UTC - 172.16.165.133:50174 - 46.161.41.220:80 - mington-res.com - GET /

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-31-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10271 bytes )
MD5 hash:  9860b49773715afc1e7cfd2da123e610
Detection ratio:  2 / 55
First submission:  2014-08-31 01:27:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/860770ed7c536a71d8611073d53575748e903006e7e53db4a1df56536970c4ab/analysis/

 

PDF EXPLOIT:

File name:  2014-08-31-Fiesta-EK-pdf-exploit.pdf
File size:  6.7 KB ( 6902 bytes )
MD5 hash:  8d5c4118a0817bd8d515e961164616b9
Detection ratio:  5 / 55
First submission:  2014-08-31 02:53:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/99d09c551873078d55ac2cd0a8d651ef1b189c3182e9fa776f6d2b8ee83f0c20/analysis/

 

JAVA EXPLOIT:

File name:  2014-08-31-Fiesta-EK-java-exploit.jar
File size:  5.0 KB ( 5118 bytes )
MD5 hash:  9bd190e40e05c7e2d6e715ed94d501cc
Detection ratio:  6 / 55
First submission:  2014-08-29 15:42:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/37dbbda6358e32746b4889dcee1560c64786e53da54c367a2803ec2c0c23d535/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-31-Fiesta-EK-silverlight-exploit.xap
File size:  22.1 KB ( 22583 bytes )
MD5 hash:  1471db385e5447683d0b7c4647c86fff
Detection ratio:  1 / 55
First submission:  2014-08-31 01:31:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bd3ee303f9b90761b3d5fde6f46c74baa9378f745ee0a2b83121375fea93e9e7/analysis/

 

MALWARE PAYLOAD:

Malware payload was encrypted, and I wasn't able to grab a copy from the user's AppData\Local\Temp directory before it deleted itself.  This malware payload was a trojan downloader that downloaded Rerdom.

Shown above: 110,890 bytes of encrypted payload

 

RERDOM DOWNLOAD:

File name:  2014-08-31-Fiesta-EK-rerdom-malware.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  8a351bc652decf84eabd853f4efd69bc
Detection ratio:  10 / 55
First submission:  2014-08-31 04:13:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c548028df72e63ca8624051823804ad130680e72ee0a34259a08d01ec05f223/analysis/

 

MALWARE DROPPED BY RERDOM:

File name:  2014-08-31-Fiesta-EK-malware-dropped-by-rerdom.exe
File size:  316.2 KB ( 323806 bytes )
MD5 hash:  9e5b3d07fe22379248196cce63d6f0b9
Detection ratio:  2 / 54
First submission:  2014-08-31 01:26:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c487e6437a728a0a9f43c29bdd0e20730f1a6ae890cf886d455b35709f065d4/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 00:43:45 UTC - 172.16.165.133:50070 - 64.202.116.154:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid: 2018407)
• 00:43:45 UTC - 64.202.116.154:80 - 172.16.165.133:50070 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid: 2018411)
• 00:43:46 UTC - 64.202.116.154:80 - 172.16.165.133:50073 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid: 2018409)
• 00:43:46 UTC - 64.202.116.154:80 - 172.16.165.133:50079 - ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved (sid: 2014316)
• 00:43:46 UTC - 64.202.116.154:80 - 172.16.165.133:50079 - ET WEB_CLIENT PDF With Embedded File (sid: 2011507)
• 00:43:46 UTC - 64.202.116.154:80 - 172.16.165.133:50079 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid: 2801334)
• 00:43:46 UTC - 64.202.116.154:80 - 172.16.165.133:50079 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (sid: 2018408)
• 00:43:46 UTC - 64.202.116.154:80 - 172.16.165.133:50079 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) (sid: 2016001)
• 00:43:58 UTC - 172.16.165.133:50127 - 46.63.66.102:80 - ETPRO TROJAN Win32/Zemot User-Agent (sid: 2808499)
• 00:43:58 UTC - 172.16.165.133:50127 - 46.63.66.102:80 - ET TROJAN Win32/Zemot Checkin (sid: 2018643 and 2018644)
• 00:44:00 UTC - 178.72.151.199:80 - 172.16.165.133:50136 - ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload (sid: 2018914)
• 00:44:00 UTC - 178.72.151.199:80 - 172.16.165.133:50136 - ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid: 2018572)
• 00:44:00 UTC - 178.72.151.199:80 - 172.16.165.133:50136 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid: 2008438)
• 00:44:02 UTC - 172.16.165.133:50134 - 64.202.116.154:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid: 2014912)
• 00:48:04 UTC - 172.16.165.133:50162 - 195.114.147.96:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid: 2018096)
• 00:48:05 UTC - 195.114.147.96:80 - 172.16.165.133:50162 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid: 2018097)
• 00:49:07 UTC - 172.16.165.133:50165 - 5.166.193.211:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid: 2018098)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 00:43:45.697021 172.16.165.133:various - 64.202.116.154:80 - [1:29443:6] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (x13)
• 00:43:46.825378 64.202.116.154:80 - 172.16.165.133:50079 - [1:23041:4] FILE-PDF EmbeddedFile contained within a PDF
• 00:43:56.934857 64.202.116.154 - 172.16.165.133 - [139:1:1] (spp_sdf) SDF Combination Alert (x12)
• 00:43:57.896108 172.16.165.133:various - 172.16.165.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x4)
• 00:44:00.675018 178.72.151.199:80 - 172.16.165.133:various - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection (x8)
• 00:44:00.675018 178.72.151.199:80 - 172.16.165.133:various - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x8)
• 00:48:02.038641 178.72.151.199:80 - 172.16.165.133:various - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x4)
• 00:48:02.199530 178.72.151.199:80 - 172.16.165.133:various - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected (x4)
• 00:48:04.918458 172.16.165.133:50162 - 195.114.147.96:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 00:49:07.227170 172.16.165.133:various - 5.166.193.211:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection (x2)
• 00:49:08.992255 172.16.165.133:various - 63.247.95.50:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection (x2)
• 00:49:10.876545 172.16.165.133:various - 122.155.167.122:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection (x3)

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-08-31-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-31-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.