2013-07-08 - DOTKACHEF EK FROM 64.64.17.46 - WWW.BRAINSYNC.COM

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

DOTKACHEF EK:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2013-07-08-DotkaChef-EK-java-exploit.jar
File size:  28.8 KB ( 29491 bytes )
MD5 hash:  ba534bd5f1eab5a7f60511ecc22624e7
Detection ratio:  24 / 52
First submission:  2013-07-05 22:32:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4d56a3ac7602f6a0e4f84ed75d2c26afbdaabab1be79e1a617306f60eeebee26/analysis/

 

MALWARE PAYLOAD:

File name:  2013-07-08-DotkaChef-malware-payload.exe
File size:  250.5 KB ( 256512 bytes )
MD5 hash:  056bc904952f7a34741a5e15db6787bd
Detection ratio:  48 / 55
First submission:  2013-07-08 04:18:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d66e45dc52cb2fd6babc1f04d3dd5345d1d6facda6b482f16e16fcaec3523aff/analysis/

 

SNORT EVENTS

Screenshot of Emerging Threats rule hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

SCREENSHOTS FROM THE TRAFFIC

Script in first page delivered from the compromised website:

 

Redirect ponting to alnera.eu:

 

alnera.eu redirecting to DotkaChef EK landing page:

 

DotkaChef EK landing page with JJEncoded script ( Click here for a write-up from Kahu Security to learn more about JJEncoded script. ):

 

DotkaChef EK delivering the java exploit:

 

DotkaChef EK delivering the malware payload

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.