2014-09-30 - FIESTA EK FROM 64.202.116.153 - AFFINEAIRFORCE.US
ASSOCIATED FILES:
- ZIP of the pcap: 2014-09-30-Fiesta-EK-traffic.pcap.zip
- ZIP of the malware: 2014-09-30-Fiesta-EK-malware.zip
NOTES:
- After 2014-09-24, this particular actor for Fiesta EK stopped using the gate, normally on 75.102.9.195, that triggered the following signature:
- ET CURRENT_EVENTS Fiesta EK randomized javascript Gate Jul 18 2014 (sid:2018741)
- Now, the gate appears to be on 190.123.42.254 and is following a different URL pattern. The above ET signature is no longer valid.
- Previous Fiesta EK from this actor used 64.202.116.0/24 with domain names ending in .in.ua.
- This actor is still using the 64.202.116.0/24 range, but now the domain names are different.
- If anyone has web logs, check 190.123.42.254 for the last week--if you find the referers, those are the compromised websites.
- Feel free to email me at admin@malware-traffic-analysis.net and let me know what compromised websites are generating traffic to 190.123.42.254.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 208.43.210.238 - www.woodworkingtalk.com - Compromised website
- 190.123.42.254 - malibushi.com - Redirect (gate)
- 64.202.116.153 - affineairforce.us - Fiesta EK
COMPROMISED WEBSITE AND FIESTA REDIRECT:
- 13:23:38 UTC - 192.168.204.149:49565 - 208.43.210.238:80 - www.woodworkingtalk.com - GET /
- 13:23:38 UTC - 192.168.204.149:49572 - 190.123.42.254:80 - malibushi.com - GET /?1EG2=s7_9Lb0u_9JaGG1&6vo=Jc1oYfm9x4fQ6&1yb=7vW3vd38su7ao&CNm=u4
FIESTA EK:
- 13:23:40 UTC - affineairforce.us - GET /8hrncw9/lbZgywFghgrrcvL6EYGz
- 13:23:42 UTC - affineairforce.us - GET /8hrncw9/7abd05297a5350314416045f010e030c0656515f04570202025550055153025c;118800;
- 13:23:42 UTC - affineairforce.us - GET /8hrncw9/0b67a89675f9659859075a0c500308030155050c555a090d05560456005e0953
- 13:23:44 UTC - affineairforce.us - GET /8hrncw9/635a9dd4a48ae627455f435a085f55010704065a0d06540f0307070058025451;4060531
- 13:23:44 UTC - affineairforce.us - GET /8hrncw9/6165e4db568d00d55a58540e540f55570706050e515654590305045404525407;910
- 13:23:46 UTC - affineairforce.us - GET /8hrncw9/07dbdf678351f25853470f59555d0702010057595004060c0503560305000707;4
- 13:23:48 UTC - affineairforce.us - GET /8hrncw9/07dbdf678351f25853470f59555d0702010057595004060c0503560305000707;4;1
- 13:23:48 UTC - affineairforce.us - GET /8hrncw9/47fb745a814b666257470d59060f0454050055590356055a0103540356520504;6
- 13:23:50 UTC - affineairforce.us - GET /8hrncw9/47fb745a814b666257470d59060f0454050055590356055a0103540356520504;6;1
- 13:24:00 UTC - affineairforce.us - GET /8hrncw9/26887734814b666251465303060c020103010b030355030f07020a5956510351;5
- 13:24:02 UTC - affineairforce.us - GET /8hrncw9/26887734814b666251465303060c020103010b030355030f07020a5956510351;5;1
- 13:24:08 UTC - affineairforce.us - GET /8hrncw9/27bdee6722f596045345035f545e07020300515f5107060c0703500504030652
- 13:24:31 UTC - affineairforce.us - GET /8hrncw9/187ec7dd4a4059c45240525e520c5551000f045e5755545f040c050402515401;1;2
- 13:24:38 UTC - affineairforce.us - GET /8hrncw9/187ec7dd4a4059c45240525e520c5551000f045e5755545f040c050402515401;1;2;1
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2014-09-30-Fiesta-EK-flash-exploit.swf
File size: 10.0 KB ( 10251 bytes )
MD5 hash: 5bf447627975b9ac6d0c68aa7f0b7d9a
Detection ratio: 2 / 49
First submission: 2014-09-30 13:55:30 UTC
VirusTotal link: https://www.virustotal.com/en/file/dcccecbfa80b7812e85ac17b247c912c45acd464154f3ef4aee29a6c164677b4/analysis/
JAVA EXPLOIT:
File name: 2014-09-30-Fiesta-EK-java-exploit.jar
File size: 5.1 KB ( 5208 bytes )
MD5 hash: f81db671289bb9bbaeeeae519ab6ca07
Detection ratio: 3 / 53
First submission: 2014-09-30 08:07:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/3a2104460098294342d76fc741447977f3aa1e8a8f715787e8f8c9fd2a1b1b81/analysis/
PDF EXPLOIT:
File name: 2014-09-30-Fiesta-EK-pdf-exploit.pdf
File size: 7.4 KB ( 7610 bytes )
MD5 hash: da27b50d3ca83816dc0c3f10801eb31c
Detection ratio: 8 / 55
First submission: 2014-09-30 13:55:56 UTC
VirusTotal link: https://www.virustotal.com/en/file/8f359f2aa2d76537f6c000fe14ccaee7530668674f7b3a3aff570dbad0b1ebd1/analysis/
SILVERLIGHT EXPLOIT:
File name: 2014-09-30-Fiesta-EK-silverlight-exploit.xap
File size: 18.2 KB ( 18586 bytes )
MD5 hash: 6c6b87d853492e3f3ae8f554149ed423
Detection ratio: 2 / 54
First submission: 2014-09-30 13:56:09 UTC
VirusTotal link: https://www.virustotal.com/en/file/8fbb447e22d5c24cce5f94bf136e2ca5059cd19ccc6febed64773d3083125e6f/analysis/
MALWARE PAYLOAD:
File name: 2014-09-30-Fiesta-EK-malware-payload.exe
File size: 395.9 KB ( 405360 bytes )
MD5 hash: b420af05c69db544141cb096ddf0e814
Detection ratio: 3 / 54
First submission: 2014-09-30 13:56:33 UTC
VirusTotal link: https://www.virustotal.com/en/file/1cd11ebb1e2f9fadd53c64df872857a4e7be1d872f8d631c3fc52fc0227d13fe/analysis/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-09-30 13:23:44 UTC - 192.168.204.149:49684 - 64.202.116.153:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49683 - ET WEB_CLIENT PDF With Embedded File (sid:2011507)
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49683 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49683 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (sid:2018408)
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49683 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) (sid:2016001)
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49684 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
- 2014-09-30 13:24:08 UTC - 192.168.204.149:49712 - 64.202.116.153:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):
- 2014-09-30 13:23:42 UTC - 192.168.204.149:various - 64.202.116.153:80 - [1:29443:7] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (x13)
- 2014-09-30 13:23:42 UTC - 64.202.116.153:80 - 192.168.204.149:49681 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49683 - [1:23041:4] FILE-PDF EmbeddedFile contained within a PDF
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49683 - [1:28238:1] EXPLOIT-KIT Multiple exploit kits malicious pdf download
- 2014-09-30 13:23:44 UTC - 64.202.116.153:80 - 192.168.204.149:49684 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (x2)
- 2014-09-30 13:24:08 UTC - 64.202.116.153:80 - 192.168.204.149:49712 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
HIGHLIGHTS FROM THE TRAFFIC
Malicious javascript in page from compromised website:
Redirect (gate) pointing to Fiesta EK:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-09-30-Fiesta-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-09-30-Fiesta-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.