Malware-Traffic-Analysis.net - 2014-06-11

2014-06-11 - FIESTA EK FROM 64.202.116[.]151 - DOTCOMOR[.]IN[.]UA

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

ASSOCIATED DOMAINS:

208.43.210.234 - www.electriciantalk[.]com - Compromised website
75.102.9[.]195 - homyakys[.]com - Redirect
64.202.116[.]151 - dotcomor[.]in[.]ua - Fiesta EK
79.142.66[.]240 - report.i1qgmy7c31uo317i31[.]com, report.q17c3179g179317931[.]com, and report.1i9qgm9gm7g31aa3[.]com - Post-infection callback
5.149.248[.]153 - report.317c31u9mywsk1ywsk[.]com and update1.x887bn03fp[.]com - additional Post-infection callback noted in the Malwr sandbox analysis

COMPROMISED WEBSITE AND REDIRECT:

06:56:12 UTC - www.electriciantalk[.]com - GET /f17/
06:56:14 UTC - homyakys[.]com - GET /aDRdISwCp3TUb4q.js?I0Kw=3eb92963a3c0b645fb979

FIESTA EK:

06:56:15 UTC - dotcomor[.]in[.]ua - GET /v20idaf/2
06:56:19 UTC - dotcomor[.]in[.]ua - GET /v20idaf/589c0221b902a302464f5f5802090102070d00580450020a000b005456560201;120000;38
06:56:20 UTC - dotcomor[.]in[.]ua - GET /v20idaf/316c469567db1514405d4058060d0a0601040f580054090e06020f5452520905;5110411
06:56:21 UTC - dotcomor[.]in[.]ua - GET /v20idaf/1f498b3e421a955152165f020a59005603530d020c00035e04550d0e5e060355;6
06:56:23 UTC - dotcomor[.]in[.]ua - GET /v20idaf/1f498b3e421a955152165f020a59005603530d020c00035e04550d0e5e060355;6;1
06:56:32 UTC - dotcomor[.]in[.]ua - GET /v20idaf/13e8c26498ea45985b5d09035109050703065c035750060f04005c0f05560604
06:56:32 UTC - dotcomor[.]in[.]ua - GET /v20idaf/39ba06ef421a95515049095a020d5655010c5b5a0454555d060a5b5656525556;5
06:56:34 UTC - dotcomor[.]in[.]ua - GET /v20idaf/39ba06ef421a95515049095a020d5655010c5b5a0454555d060a5b5656525556;5;1
06:56:34 UTC - dotcomor[.]in[.]ua - GET /v20idaf/663e874b4e1429635959515e0a0c075104030a5e0c55045903050a525e530553
06:56:34 UTC - dotcomor[.]in[.]ua - GET /v20idaf/663e874b4e1429635959515e0a0c075104030a5e0c55045903050a525e530553
06:56:36 UTC - dotcomor[.]in[.]ua - GET /v20idaf/39f32f8a8911aaf750410308005d0b52010c5f080604085a060a5f0454020851;1;3
06:56:37 UTC - dotcomor[.]in[.]ua - GET /v20idaf/39f32f8a8911aaf750410308005d0b52010c5f080604085a060a5f0454020851;1;3;1

POST-INFECTION CALLBACK TRAFFIC:

06:56:24 UTC - report.i1qgmy7c31uo317i31[.]com - GET /?k3y7cE20=%96%CB%A7%A3%A2%A6%90%CDf%AA%C8%A3%B1%9B%9Bka%AA%A7%98ei%9C%96%95c
%98%D1%A6%9Fg%ADj%89%BC%A8m%E9%DB %A7%95%E7%DD%92%A6b%A3%A0%A4%A9%5D%CF%A1%98%B2%D4%A1%5E%8C%BCY%9E%97%C7%AC
%9D%A1i%B0z%9Awdi%AB%A6%B5%A0%A3%A7q%9Ca%B3%AB%B0%A9%7D%94vt%A5%A7ybx%A0Y%A3%93%D6%AC%9E%9Bc%A9g%95ub%60%A2%95%A1%
9F%A2%A4%5E%99a%A1%97%93%EFt%93ca%A5%9Fehi%8F%A5%ABk%99%A3%91
06:56:34 UTC - report.q17c3179g179317931[.]com - GET /?U93120=%96%CB%A7%A3%A2%A6%90%D5fp%C4ii%9Bq%9Falq%98eil%96%95c%98%D1%A6%89mgdX
%A7%E8%A2%E7%E5%A9%9A%A3%DA%95t%94ejni%8D%9D%A5%A0p%96%A5f%88%84T%D0%D8%D1%92iigis%A9%97%A2%A8%AB%B5s%A2bj%A6fay%7D%A
Aa%7Djvtgqybo%9A%95%DF%BA%ACpbb%60%A2%95%A2%9F%A2%A4%5E%A1bg%93cagi%97a%5D%60%9A %A1%93%C7%B3pgfT
06:56:38 UTC - report.1i9qgm9gm7g31aa3[.]com - GET /?9o17m20=%96%CB%A7%A3%A2%A6%90%95%9Er%D2%9D%A5%9D%9F%A5g%9Ck%96%95%93f%91%C
7%A4%A2%9B%A8ek%A1eV%E9%DB%AD%E6%E8%ABT %A6%D2%9D%AE%98%9Fr%9E%9D%5D%D3%A1%98%9E%C6%A1%5B%B8%C2%93%A6%D8%95t%9D
hf%A9%A8%A7%A1%A4%ADgr%AEj%A2%9A%B0l%97%AF%7B%AAcw%92%A4v%5E%9B%B5%9Ez%A6W%A9%D2%A5m%A3%95%A0%9F %A2%A6%5Ea%99i%A1
%98%9Di%97%9Dg%97ca%87%D7p%5E%93%9F%9Di%A1hi%93%A4%AA%AF%9B%A4%93

FLASH EXPLOIT

File name: 2014-06-11-Fiesta-EK-flash-exploit.swf
File size: 10,011 bytes
MD5 hash: 3776a85e1d72c3b2891324074b321cc1
Detection ratio: 2 / 54
First submission: 2014-06-13 05:14:10 UTC
VirusTotal link: https://www.virustotal.com/en/file/70e576688db8155eefff7cf42134e3f5d9fd4e427beec3067b421408454eb3c9/analysis/

JAVA EXPLOIT

File name: 2014-06-11-Fiesta-EK-java-exploit.jar
File size: 7,851 bytes
MD5 hash: bb668b724fbf749c62094a014ae01861
Detection ratio: 4 / 54
First submission: 2014-06-10 15:07:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/8c87de523be610095c9f32feb4772125b4c49755fbae662bb9237f45c2f4ca14/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-06-11-Fiesta-EK-silverlight-exploit.xap
File size: 11,482 bytes
MD5 hash: 88b15ddb871b858e384fb3ebb17991a9
Detection ratio: 2 / 54
First submission: 2014-06-10 10:16:10 UTC
VirusTotal link: https://www.virustotal.com/en/file/daccb1628ac8ed91c31aa438e96e9732ffa2de7aa4de25d37a49bcb34e3b472c/analysis/

MALWARE PAYLOAD

File name: 2014-06-11-Fiesta-EK-malware-payload.exe
File size: 630,272 bytes
MD5 hash: b74176ab760cd4752749576e879288f7
Detection ratio: 33 / 54
First submission: 2014-06-11 17:25:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/b0e6179f59b6a11f545703293e501bd567429afc423b849284c3202fbee7acb1/analysis/

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

2014-06-11 06:56:19 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
2014-06-11 06:56:19 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
2014-06-11 06:56:20 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
2014-06-11 06:56:24 UTC - 79.142.66[.]240:80 - ET TROJAN Simda.C Checkin (sid:2016300)
2014-06-11 06:56:32 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)
2014-06-11 06:56:32 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)

2014-06-11 06:56:19 UTC - 64.202.116[.]151:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
2014-06-11 06:56:20 UTC - 64.202.116[.]151:80 - EXPLOIT-KIT Angler exploit kit Silverlight exploit download (sid:28612)
2014-06-11 06:56:34 UTC - 64.202.116[.]151:80 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

Malicious javascript in page from compromised website:

Redirect pointing to Fiesta EK:

Click here to return to the main page.