Fiesta Kit takes the Fake AV and ZeroAccess party to nashville[.]com

nashville

 

In this case the malicious code is hiding at /generator/functions.php
When decoded it creates an iframe for the landing page at bkyqric.sytes[.]net/tow8kazxw5yio/a023c09f5fc275f49b1844906678b0ce/ (108.59.9.32 LEASEWEB-US).
This host has a recent history of bad behavior as can be seen at urlquery

nashville-decoded-iframe2

Adobe Flash, Reader and Java exploits, all from bkyqric.sytes[.]net:
pPOMyY76.swf: /vt078a2/?6a6a05e9324ea4af4516505a040e540a0258015a04575502035305565257560c;112202;233
fZtXGOgS.pdf: /vt078a2/?57ca35721e90f44b595e015a070e0601010e545a075707090005505651570407
zETsWBc6.jar: /vt078a2/?24fb11446ae8629a53460759050a0507060d51590553040f0706555553530701

Payloads:
flashplayer11_7r13497_415_win.exe  (ZeroAcess/Sirefef)
flashplayer11_7r13497_425_win.exe
flashplayer11_7r13497_411_win.exe
flashplayer11_7r13497_421_win.exe

Immediately after the first payload is delivered we observe requests to j.maxmind.com/app/geoip.js for geoip location (with no user agent or accept headers) followed by malformed DNS queries to 194.165.17.4, a known ZeroAccess CnC host.

nashville-dns

Additional traffic with fake user agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) :

cinnamyn[.]com /images/s.php?id=48
twinkcam[.]net /images/s.php?id=48

VirusTotal:
pPOMyY76.swf:
https://www.virustotal.com/en/file/420fc7ca4332bcb82e772a18616c0a178178be6e41c9cadda4c6916f9c3d8b86/analysis/1379390638/
fZtXGOgS.pdf:
https://www.virustotal.com/en/file/310e84b91be03b36312a714f65736152347eb55eee826e02e04cd7bd1650bdd3/analysis/1379390593/
zETsWBc6.jar:
https://www.virustotal.com/en/file/850b3e5e128b85dde9120085829da9673d54802fa7dcdebba6655adc8450f319/analysis/1379390792/

flashplayer11_7r13497_411_win.exe: https://www.virustotal.com/en/file/850b3e5e128b85dde9120085829da9673d54802fa7dcdebba6655adc8450f319/analysis/1379390357/
flashplayer11_7r13497_415_win.exe:
https://www.virustotal.com/en/file/6030dea6914e4806ce91be88b8bafcd9eab9c2f47c757acf1eb743d957668109/analysis/1379390412/
flashplayer11_7r13497_421_win.exe:
https://www.virustotal.com/en/file/d6865839527e6bfe830dc00b8b423196e3a88c94a1b45b4965783ca4c36bb3d4/analysis/1379390464/
flashplayer11_7r13497_425_win.exe:
https://www.virustotal.com/en/file/d6865839527e6bfe830dc00b8b423196e3a88c94a1b45b4965783ca4c36bb3d4/analysis/1379390538/