2015-03-30 - FIESTA EK FROM 205.234.186.113 PUSHES SIMDA MALWARE

ASSOCIATED FILES:

• ZIP - pcap of the infection traffic:  2015-03-30-Fiesta-EK-infection-traffic.pcap.zip
• ZIP - pcap from malwr.com's analysis of payload:  2015-03-30-Fiesta-EK-malware-payload-analysis-from-malwr.com.pcap.zip
• ZIP - associated malware:  2015-03-30-Fiesta-EK-malware.zip

 

NOTES

ASSOCIATED DOMAINS:

• 198.41.249.42 port 80 - www.gm-trucks.com - Comproimsed website
• 136.243.224.9 port 80 - hrortict.com - Redirect
• 205.234.186.113 port 80 - mefastmap.eu - Fiesta EK

 

COMRPOMISED WEBSITE AND REDIRECT:

• 2015-03-30 20:07:45 UTC - www.gm-trucks.com GET /
• 2015-03-30 20:07:46 UTC - hrortict.com GET /tqgpXRzPJl-Z_iu-jW_m/S_WN-qOg/VJ.php?E6-ty=1Tuc_8fw2_8i448r&-_=a7y499xbX6-ce&TS=4Xd2vddke964&
  E-=07sfneGf-H8P9o0-5&yO-u=egaGf

 

FIESTA EK:

• 2015-03-30 20:07:58 UTC - mefastmap.eu - GET /pve7s23q/fjJpLk2OKhreF6IGk5E2
• 2015-03-30 20:08:00 UTC - mefastmap.eu - GET /pve7s23q/6588e8806e0b7c6c0303010357030d0306020903515a080b03000901045d5c00;130000;182
• 2015-03-30 20:08:01 UTC - mefastmap.eu - GET /pve7s23q/432c9791226860f8574359580b0c0c02040403580d55090a0106035a58525d01;7
• 2015-03-30 20:08:12 UTC - mefastmap.eu - GET /pve7s23q/432c9791226860f8574359580b0c0c02040403580d55090a0106035a58525d01;7;1
• 2015-03-30 20:08:37 UTC - mefastmap.eu - GET /pve7s23q/08f2a9348f9f80a75a560a0953020607000f5709555b030f050d570b005c5705
• 2015-03-30 20:08:38 UTC - mefastmap.eu - GET /pve7s23q/293f79e3ec282a3c5d56515d05025000020e025d035b5508070c025f565c0304
• 2015-03-30 20:08:38 UTC - mefastmap.eu - GET /pve7s23q/293f79e3ec282a3c5d56515d05025000020e025d035b5508070c025f565c0304
• 2015-03-30 20:08:41 UTC - mefastmap.eu - GET /pve7s23q/34e112f19e646fc8504c000a030953020303540a0550560a0601540850570200;1;3
• 2015-03-30 20:08:57 UTC - mefastmap.eu - GET /pve7s23q/34e112f19e646fc8504c000a030953020303540a0550560a0601540850570200;1;3;1

 

POST-INFECTION TRAFFIC (SIMDA):

• 2015-03-30 20:08:13 UTC - 217.23.6.131 port 80 - report.qgmyws9e1aa31e93.com - GET /?1aA317931=%96%9C%A0%D2%A7[long string]
• 2015-03-30 20:09:16 UTC - 194.63.143.127 port 80 - update.z6yzyo6vfubf.com - GET /?66=kaygx5bWlpSybbKr3aZo2Z[long string]
• 2015-03-30 20:09:17 UTC - 217.23.6.131 port 80 - report.qgmyws9e1aa31e93.com - GET /?7q317o343=%96%9C%A0%D2%A7[long string]
• 2015-03-30 20:09:17 UTC - 217.23.6.131 port 80 - report.qgmyws9e1aa31e93.com - GET /?w1u93i20=%96%9C%A0%D2%A7[long string]
• 2015-03-30 20:09:17 UTC - 217.23.6.131 port 80 - report.qgmyws9e1aa31e93.com - GET /?5iQGM12=%96%9C%A0%D2%A7[long string]
• 2015-03-30 20:09:30 UTC - 217.23.6.131 port 80 - report.qgmyws9e1aa31e93.com - GET /?qGMYWS13=%96%9C%A0%D2%A7[long string]
• 2015-03-30 20:09:30 UTC - 217.23.6.131 port 80 - report.ce5a5k55g55a5ku.com - GET /?79kUO31=%96%9C%A0%D2%A7[long string]

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - pcap of the infection traffic:  2015-03-30-Fiesta-EK-infection-traffic.pcap.zip
• ZIP - pcap from malwr.com's analysis of payload:  2015-03-30-Fiesta-EK-malware-payload-analysis-from-malwr.com.pcap.zip
• ZIP - associated malware:  2015-03-30-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.