2014-06-21 - FIESTA EK ON 64.202.116[.]151 - FERZYPSY[.]IN[.]UA

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-06-21-Fiesta-EK-both-pcaps.zip
• 2014-06-21-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 64.202.116[.]151 - ferzypsy[.]in[.]ua - Fiesta EK
• various IP addresses - various domains - Post-infection traffic from sandbox analysis (see below)

FIESTA EK:

• 21:22:23 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/1
• 21:22:26 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/6f4b10a3ceb82ed545115259000b550104500c59055251080355555757060403;120000;38
• 21:22:26 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/053cb112106198c343594558530a050002030b58565301090506525604075402;5110411
• 21:22:26 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/7a9c2cd735a018865411525803585005055701580601540c0252585654550107;6
• 21:22:27 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/7a9c2cd735a018865411525803585005055701580601540c0252585654550107;6;1
• 21:22:34 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/334f70b035a0188650435f5d060b560201050c5d0352520b0600555351060700;5
• 21:22:34 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/334f70b035a0188650435f5d060b560201050c5d0352520b0600555351060700;5;1
• 21:22:35 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/36b70ec8ef50c84f59580e0c015e570a01005a0c040753030605030256530608
• 21:22:35 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/587b1295a5d0a52d5a57555900090d07070e0f590550090e000b565757045c56
• 21:22:35 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/587b1295a5d0a52d5a57555900090d07070e0f590550090e000b565757045c56
• 21:22:35 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/32d21adbfeab2720504a0109005a505001045c09050354590601050757570152;1;3
• 21:22:36 UTC - 64.202.116[.]151:80 - ferzypsy[.]in[.]ua - GET /nzrems2/32d21adbfeab2720504a0109005a505001045c09050354590601050757570152;1;3;1

TRAFFIC FROM MALWR SANDBOX ANALYSIS OF THE MALWARE PAYLOAD:

• 21:59:23 UTC - 176.36.149[.]220:80 - gummiringes[.]com - GET /b/shoe/54602
• 21:59:23 UTC - 176.36.149[.]220:80 - gummiringes[.]com - GET /b/shoe/54602
• 21:59:26 UTC - 37.57.26[.]167:80 - proactives-a[.]com - GET /pho-caguestbooks-a78.23/jquery/
• 22:00:11 UTC - 31.169.22[.]123:80 - proactives-a[.]com - GET /uni-terevolutions-f74.67/soft32.dll
• 22:00:16 UTC - 176.36.149[.]220:80 - vision-vaper[.]su - GET /b/eve/b35c8c01b86dd3f4aecf28fd
• 22:01:15 UTC - 176.36.149[.]220:80 - vision-vaper[.]su - POST /b/opt/F1E10E4D08316E6D03003198
• 22:01:15 UTC - 176.36.149[.]220:80 - vision-vaper[.]su - GET /b/letr/D4051FEFFE1BAE98F52AF16D
• 22:01:29 UTC - 27.254.40[.]105:8080 - 27.254.40[.]105:8080 - POST /b/opt/DC967C66376FAB813C5EF474
• 22:01:47 UTC - 27.254.40[.]105:8080 - 27.254.40[.]105:8080 - POST /b/req/2A280E95C302C273C8339D86
• 22:02:08 UTC - 27.254.40[.]105:8080 - 27.254.40[.]105:8080 - POST /b/req/622C5C558ABC319B818D6E6E
• 22:02:11 UTC - 192.162.19[.]34:80 - ownership-search[.]com - GET /
• 22:02:11 UTC - 192.162.19[.]34:80 - projects-search[.]com - GET /
• 22:02:11 UTC - 192.162.19[.]34:80 - services-search[.]com - GET /

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-21-Fiesta-EK-flash-exploit.swf
File size:  10,086 bytes
MD5 hash:  e811566df31461d01701f6fed593499c
Detection ratio:  0 / 53
First submission:  2014-06-21 22:05:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/95629ba84278981f84681a935cc26b47d250bfd7b15a1fb031e7343666f48560/analysis/

File name:  2014-06-21-Fiesta-EK-flash-exploit-uncompressed.swf
File size:  15,734 bytes
MD5 hash:  d40f48d1248d5e84acaf4b79d7c83d56
Detection ratio:  0 / 53
First submission:  2014-06-21 22:06:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2fb84c6050c27a2a4cc7417a6e0afe51407f97f1c095806d84d91500bb160919/analysis/

 

JAVA EXPLOIT

File name:  2014-06-21-Fiesta-EK-java-exploit.jar
File size:  7,895 bytes
MD5 hash:  296533af96774e8c63aad8ca7f74a5a4
Detection ratio:  2 / 54
First submission:  2014-06-20 14:17:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/997869e82e5163ebebc2ca01412d8eb91b2ad05b82eea52a78f633530edea053/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-21-Fiesta-EK-silverlight-exploit.xap
File size:  11,177 bytes
MD5 hash:  c87f1b6ae7c4a695de2ab56682774888
Detection ratio:  1 / 54
First submission:  2014-06-21 22:06:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/63819995c189f68bd97844ff8ac6abfa8927a1deabf6e409f5f5dc7bc119f722/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-21-Fiesta-EK-malware-payload.exe
File size:  77,832 bytes
MD5 hash:  137323a9603aca4a91702a59e5e171b0
Detection ratio:  1 / 54
First submission:  2014-06-21 21:55:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9b90e923852b8a3ae850ad86d2197a1c1527f7686f0ca4e80ff8b49baab88a3b/analysis/

 

FOLLOW-UP MALWARE

File name:  exe.exe
File size:  151,552 bytes
MD5 hash:  402d70d5f2b4cc83291d8a44fbc81386
Detection ratio:  1 / 53
First submission:  2014-06-21 22:04:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3a67ed1bd1fe578854edd2f7b78bd9782b5c2823ccaa7a852937ea804c8e7eaf/analysis/

 

ALERTS - INFECTION TRAFFIC

Emerging Threats and ETPRO rulesets:

• 2014-06-21 21:22:26 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-06-21 21:22:26 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-06-21 21:22:26 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 2014-06-21 21:22:35 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 2014-06-21 21:22:35 UTC - 64.202.116[.]151:80 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)

Sourcefire VRT ruleset:

• 2014-06-21 21:22:26 UTC - 64.202.116[.]151:80 - EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (sid:29443)
• 2014-06-21 21:22:26 UTC - 64.202.116[.]151:80 - EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (sid:28612)
• 2014-06-21 21:22:35 UTC - 64.202.116[.]151:80 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)

NOTE: These alerts were taken from Sguil on Security Onion

 

ALERTS - SANDBOX ANALYSIS OF MALWARE PAYLOAD

Emerging Threats and ETPRO rulesets:

• 176.36.149[.]220:80 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.relx Checkin (sid:2807742)
• 37.57.26[.]167:80 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 176.36.149[.]220:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 176.36.149[.]220:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 176.36.149[.]220:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)

Sourcefire VRT ruleset:

• 37.57.26[.]167:80 - MALWARE-CNC Win.Trojan.Dofoil outbound connection (sid:28809)
• 176.36.149[.]220:80 - MALWARE-CNC Win.Trojan.Cidox variant outbound connection (sid:29356)

NOTE: These alerts were generated by using tcpreplay to replay the PCAP on Security Onion

 

Click here to return to the main page.