2014-01-03 - FIESTA EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-01-03-Fiesta-EK-traffic.pcap.zip
• 2014-01-03-Fiesta-EK-malware.zip

 

TRAFFIC

ASSOCIATED DOMAINS:

• 108.168.211[.]92 - www.stevesnovasite[.]com - Compromised web site
• 190.123.47[.]198 - lokishards[.]com - Redirect domain
• 64.202.116[.]125 - yredinblu[.]in[.]ua - Fiesta EK domain

HTTP REQUESTS:

• 2014-01-03 03:00:33 UTC - www.stevesnovasite[.]com - GET /forums/showthread.php?t=54003&page=10
• 2014-01-03 03:00:34 UTC - lokishards[.]com - GET /ehwqovz.js?89c2887e3cc99e5e
• 2014-01-03 03:00:35 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?2
• 2014-01-03 03:00:42 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?0e29b3101e759abf59005e0250080802065c05025651010b0557510f500b0105
• 2014-01-03 03:00:45 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?7f7282ba8d9d95d1521e52090a095b53015f00090c50525a025454040a0a5205;1;5
• 2014-01-03 03:00:45 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?7f7282ba8d9d95d1521e52090a095b53015f00090c50525a025454040a0a5205;1;5;1
• 2014-01-03 03:00:49 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?2efd84db3037498c580b0a5f0a0f5d50045c515f0c565459075705520a0c5457
• 2014-01-03 03:00:50 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?23b8e91ee6c925775d5c000357020857040a5503515b015e0701010e57010051
• 2014-01-03 03:00:51 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?062d834621cca6e3534e575f0a080d04060f055f0c51040d050451520a0b0403;1;4
• 2014-01-03 03:00:52 UTC - yredinblu[.]in[.]ua - GET /r1tmip5/?062d834621cca6e3534e575f0a080d04060f055f0c51040d050451520a0b0403;1;4;1

ARTIFACTS FROM THE PCAP:

MALWARE:

• Java exploit - 5ad942fcfdd2e47781ff374d77ed51ba
• EXE payload - 624db39ef9470871aa880d3f3b03b52d

 

Click here to return to the main page.