2014-06-07 - FIESTA EK FROM 85.25.20[.]27 - RUKMNQYEGT.REDIRECTME[.]NET

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-06-07-Fiesta-EK-traffic.pcap.zip
• 2014-06-07-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 31.47.241[.]104 - erw-in[.]de - Compromised website
• 85.25.20[.]27 - rukmnqyegt.redirectme[.]net - Fiesta EK

COMPROMISED WEBSITE:

• 01:51:58 UTC - erw-in[.]de - GET /

FIESTA EK:

• 01:52:01 UTC - rukmnqyegt.redirectme[.]net - GET /osf3tyzhuohcvpxoythoclzqruiis6rxd9w
• 01:52:07 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/7663b30374544eb6444150085108010203060407590752030c03050a5004000607;120000;38
• 01:52:07 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/10143be4805e2251425c470f0059540505000300085607040a05020d0155550101;5110411
• 01:52:15 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/0bd7488186cd56ce53120f0c07030900045256030f0c5a010b57570e060f080400;5
• 01:52:16 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/0bd7488186cd56ce53120f0c07030900045256030f0c5a010b57570e060f080400;5;1
• 01:52:17 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/5c33635d64afdc0a5f0d5f0805080455015301070d0757540e56000a0404055105
• 01:52:17 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/210e6e6e86cd56ce51415b5e055e0754060102510d5154550904035c0452065002;6
• 01:52:18 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/210e6e6e86cd56ce51415b5e055e0754060102510d5154550904035c0452065002;6;1
• 01:52:19 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/0578ac717de201475f5a5503525806000405050c5a5755010b0004015354070700
• 01:52:19 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/0578ac717de201475f5a5503525806000405050c5a5755010b0004015354070700
• 01:52:20 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/33085a3bb9b35b2c504b5503065a02530703020c0e555152080603010756035703;1;3
• 01:52:21 UTC - rukmnqyegt.redirectme[.]net - GET /p1c6drv/33085a3bb9b35b2c504b5503065a02530703020c0e555152080603010756035703;1;3;1

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-07-Fiesta-EK-flash-exploit.swf
File size:  9,999 bytes
MD5 hash:  2014-06-07-Fiesta-EK-flash-exploit.swf
Detection ratio:  1 / 36
First submission:  2014-06-04 22:54:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f629890d379bc3795f8526ee9c93eb4f3fee65807b8e398e0c0273d0106c4ba2/analysis/

File name:  2014-06-07-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15,662 bytes
MD5 hash:  3c0ef113f37e46a1b8ed10f2457d7111
Detection ratio:  2 / 51
First submission:  2014-06-05 22:09:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2ef370bfcd64ffb91ac5e1ff28d41f71504a49cbbcba178df5a95ba6619971f/analysis/

 

JAVA EXPLOIT

File name:  2014-06-07-Fiesta-EK-java-exploit.jar
File size:  7,446 bytes
MD5 hash:  ed2e61b302c6ed7ccb3699cc33d23f71
Detection ratio:  1 / 50
First submission:  2014-06-07 02:09:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92d1bcb375d26a8d55e117b79ae3d41fc2a6cb4e55688c7815b0e732f099b8fc/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-07-Fiesta-EK-silverlight-exploit.xap
File size:  11,458 bytes
MD5 hash:  12952a3839c4fbb3f315fb55ac3b77b2
Detection ratio:  3 / 51
First submission:  2014-06-05 22:09:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/514cec2e3ee686bc7d171ec424bb54b4ab88dfcb2b9231cb86dfd0ce12c1099f/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-07-Fiesta-EK-malware-payload.exe
File size:  135,176 bytes
MD5 hash:  866feb555402f3187e335617b4f83210
Detection ratio:  4 / 50
First submission:  2014-06-07 02:00:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c8584322005284e2e7cdee083bbc6d4ac510ca413dacbd4f520abe6636ab0b49/analysis/

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

• 2014-06-07 01:52:22 UTC - 85.25.20[.]27:80 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-06-07 01:52:22 UTC - 85.25.20[.]27:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-06-07 01:52:23 UTC - 85.25.20[.]27:80 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-06-07 01:52:31 UTC - 85.25.20[.]27:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 2014-06-07 01:52:31 UTC - 85.25.20[.]27:80 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain (sid:2016582)
• 2014-06-07 01:52:32 UTC - 85.25.20[.]27:80 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)

Sourcefire VRT ruleset:

• 2014-06-07 01:52:22 UTC - 85.25.20[.]27:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
• 2014-06-07 01:52:23 UTC - 85.25.20[.]27:80 - EXPLOIT-KIT Angler exploit kit Silverlight exploit download (sid:28612)
• 2014-06-07 01:52:34 UTC - 85.25.20[.]27:80 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

 

SCREENSHOT FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Click here to return to the main page.