Fiesta Kit seen throwing ZeroAccess party at wranglerforum[.]com

As always, use care if investigating any of the domains/IPs in this post.wrangler1

  • Injected iframe loads Javascript from trestofech[.]com

wrangler-js

  • Iframe on trestofech[.]com/gvzbkhxnar.js?efbde6366e26b3df loads landing page at domsinternetbd[.]biz/zxj3iyd/?2

Pastebin for review: [pastebin]

wrangler-iframe

Exploits:

  • VojgQUIA.swf: domsinternetbd[.]biz/zxj3iyd/?03afe6fa5fb087794344075d570d5559050b535d5154565a0501520554045657;112202;233
  • Z0y5C_RH.pdf: domsinternetbd[.]biz/zxj3iyd/?4aa092d7736ed79d5808030b0b09570f0159530b0d50540c0153525308005401
  • cBtr2kz7.jar: domsinternetbd[.]biz/zxj3iyd/?147a33b60716414c5046565a0108510e040c055a0751520d0406040202015200

Payloads:

  • flashplayer11_7r38582_213_win.exe: domsinternetbd[.]biz/zxj3iyd/?4ac66ac8df9edcdc5119060d045a50000159510d02035303015350550753530e;1;3
  • flashplayer11_7r38582_211_win.exe: domsinternetbd[.]biz/zxj3iyd/?5cd9e6bf58e1783e501b0102570d515e005b56025154525d0051575a54045357;1;1
  • encoded binary: domsinternetbd[.]biz/zxj3iyd/?60041ca86fa38e8c5548550f035852000308020f05015103030203570051510e;1;2

Load confirmations:

  • domsinternetbd[.]biz/zxj3iyd/?4ac66ac8df9edcdc5119060d045a50000159510d02035303015350550753530e;1;3;1
  • domsinternetbd[.]biz/zxj3iyd/?5cd9e6bf58e1783e501b0102570d515e005b56025154525d0051575a54045357;1;1;1
  • domsinternetbd[.]biz/zxj3iyd/?60041ca86fa38e8c5548550f035852000308020f05015103030203570051510e;1;2;1

 

  • Geoip from j.maxmind.com/app/geoip.js followed by communication with ZeroAcess CnC at 85.114.128.127 and P2P activity:

wrangler-p2p

VirusTotal: