2014-09-30 - FIESTA EK FROM 64.202.116[.]153 - AFFINEAIRFORCE[.]US

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND FIESTA REDIRECT:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-30-Fiesta-EK-flash-exploit.swf
File size:  10,251 bytes
MD5 hash:  5bf447627975b9ac6d0c68aa7f0b7d9a
Detection ratio:  2 / 49
First submission:  2014-09-30 13:55:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dcccecbfa80b7812e85ac17b247c912c45acd464154f3ef4aee29a6c164677b4/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-30-Fiesta-EK-java-exploit.jar
File size:  5,208 bytes
MD5 hash:  f81db671289bb9bbaeeeae519ab6ca07
Detection ratio:  3 / 53
First submission:  2014-09-30 08:07:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3a2104460098294342d76fc741447977f3aa1e8a8f715787e8f8c9fd2a1b1b81/analysis/

 

PDF EXPLOIT:

File name:  2014-09-30-Fiesta-EK-pdf-exploit.pdf
File size:  7,610 bytes
MD5 hash:  da27b50d3ca83816dc0c3f10801eb31c
Detection ratio:  8 / 55
First submission:  2014-09-30 13:55:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8f359f2aa2d76537f6c000fe14ccaee7530668674f7b3a3aff570dbad0b1ebd1/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-30-Fiesta-EK-silverlight-exploit.xap
File size:  18,586 bytes
MD5 hash:  6c6b87d853492e3f3ae8f554149ed423
Detection ratio:  2 / 54
First submission:  2014-09-30 13:56:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8fbb447e22d5c24cce5f94bf136e2ca5059cd19ccc6febed64773d3083125e6f/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-30-Fiesta-EK-malware-payload.exe
File size:  405,360 bytes
MD5 hash:  b420af05c69db544141cb096ddf0e814
Detection ratio:  3 / 54
First submission:  2014-09-30 13:56:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1cd11ebb1e2f9fadd53c64df872857a4e7be1d872f8d631c3fc52fc0227d13fe/analysis/

 

SIGNATURE HITS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect (gate) pointing to Fiesta EK:

 

Click here to return to the main page.