2015-01-20 - FIESTA EK FROM 205.234.186.112 - JUSTTATTOSHOP.IN
ASSOCIATED FILES:
- ZIP of the pcap: 2015-01-20-Fiesta-EK-infection-traffic.pcap.zip
- ZIP of the malware: 2015-01-20-Fiesta-EK-malware-and-artifacts.zip
NOTES:
- My normal blog entries are somewhat time-consuming. In an effort to post more frequently, I'll be posting more entries like this one.
- Feel free to tweet any additional information about the malware payload.
- This infection happened on a physical host (not a VM).
Shown above: Contents of the zip archive for this blog entry.
Shown above: Some of the registry changes on the infected host.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 69.167.155.134 - www.excelforum.com - Comrpomised website
- 94.242.216.4 - dyncondt.com - Redirect/gate
- 205.234.186.112 - justtattoshop.in - Fiesta EK
- 81.177.180.101 - 81.177.180.101 - Post-infection callback
- 136.243.24.222 - 136.243.24.222 - Post-infection callback
- 136.243.24.222 - abc-search.org - (what looks like) click-fraud taffic begins
COMPROMISED WEBSITE AND REDIRECT:
- 2015-01-20 00:43:41 UTC - www.excelforum.com - GET /
- 2015-01-20 00:43:42 UTC - dyncondt.com - GET /?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g=aPp8X-02-GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO&
m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3
FIESTA EK:
- 2015-01-20 00:43:44 UTC - justtattoshop.in - GET /txf9p_v8/ye1PlchZ7X9pFcl0o-y3
- 2015-01-20 00:43:46 UTC - justtattoshop.in - GET /txf9p_v8/14dcb5b6b53272fd050d5358500e5401000750585657520d0400060703005305;114402;287
- 2015-01-20 00:43:46 UTC - justtattoshop.in - GET /txf9p_v8/4dc239e53174afbc5d010f090102530205575709075b550e01500156520c5406
- 2015-01-20 00:43:48 UTC - justtattoshop.in - GET /txf9p_v8/1ce77cae1200caf15d0a070c055857520050510c0301515e0457075356565056;910
- 2015-01-20 00:43:48 UTC - justtattoshop.in - GET /txf9p_v8/1d35a036e0072c034208450e530b05010057070e5552030d0450515100050205;4060310
- 2015-01-20 00:43:50 UTC - justtattoshop.in - GET /txf9p_v8/64a866b4c5c6ac4655440a03040d5403070755030254520f0300035c57035307;6
- 2015-01-20 00:43:53 UTC - justtattoshop.in - GET /txf9p_v8/64a866b4c5c6ac4655440a03040d5403070755030254520f0300035c57035307;6;1
- 2015-01-20 00:43:55 UTC - justtattoshop.in - GET /txf9p_v8/413b341cb5ac58c957415859010f075405020759075601580105510652010055;1
- 2015-01-20 00:43:56 UTC - justtattoshop.in - GET /txf9p_v8/1778ba69c5c6ac4652475c03505a000e00040303560306020403555c0354070a;5
- 2015-01-20 00:43:57 UTC - justtattoshop.in - GET /txf9p_v8/413b341cb5ac58c957415859010f075405020759075601580105510652010055;1;1
- 2015-01-20 00:43:59 UTC - justtattoshop.in - GET /txf9p_v8/1778ba69c5c6ac4652475c03505a000e00040303560306020403555c0354070a;5;1
- 2015-01-20 00:43:59 UTC - justtattoshop.in - GET /txf9p_v8/022b0e2e1f367c8f5a5c5e59025e0452010106590407025e0506500651500356
- 2015-01-20 00:44:00 UTC - justtattoshop.in - GET /txf9p_v8/788da65dfbfe72f658575a5f530d0353060b0c5f5554055f020c5a0000030756
- 2015-01-20 00:44:02 UTC - justtattoshop.in - GET /txf9p_v8/687313c60ecd93e05540520803085501070b03080551530d030c555750065205;1;3
- 2015-01-20 00:44:04 UTC - justtattoshop.in - GET /txf9p_v8/687313c60ecd93e05540520803085501070b03080551530d030c555750065205;1;3;1
SOME OF THE POST-INFECTION TRAFFIC:
- 2015-01-20 00:43:57 UTC - 81.177.180.101 - GET /ENzXbFdVk%2bi9%2ffrs[very long string of characters]
- 2015-01-20 00:51:52 UTC - 136.243.24.222 - GET /xO6PANLQcbTSPc5knkG/[long string of characters]
- 2015-01-20 00:52:29 UTC - abc-search.org - GET /r?q=wrestling&subid=4699&link=kkCguKA.EeSIskSKW9RPYQ
- 2015-01-20 00:52:29 UTC - abc-search.org - GET /search?q=wrestling&subid=4699
- 2015-01-20 00:52:30 UTC - abc-search.org - GET /click?q=wrestling&subid=4699&link=kkCguKA.EeSIskSKW9RPYQ
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2015-01-20-Fiesta-EK-infection-traffic.pcap.zip
- ZIP of the malware: 2015-01-20-Fiesta-EK-malware-and-artifacts.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.