2013-07-08 - DOTKACHEF EK FROM 64.64.17.46 - WWW.BRAINSYNC.COM

PCAP AND MALWARE:

• ZIP file of the PCAP:  2013-07-08-DotkaChef-EK-traffic.pcap.zip
• ZIP file of the malware:  2013-07-08-DotkaChef-EK-malware.zip

 

NOTES:

• This was my secon dblog entry, back when I began documenting exploit kit (EK) traffic, and I didn't realize this was DotkaChef EK.
• On 2014-09-20, I updated this blog entry with more information, and changed the format to how I now report EK traffic.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 94.76.245.25 - spammers-paradise.com - Compromised website
• 103.31.186.94 - alnera.eu - Redirect
• 64.64.17.46 - www.brainsync.com - DotkaChef EK

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 02:54:54 UTC - 94.76.245.25 - spammers-paradise.com - GET /forums/
• 02:54:54 UTC - 94.76.245.25 - spammers-paradise.com - GET /forums/index.php?ipbv=72bcf32f255785cd07d351aceecf1eaa&charset=UTF-8&f=public/js/ips.quickpm.js&c=1
• 02:54:55 UTC - 103.31.186.94 - alnera.eu - GET /F39BC8C5.js?cp=spammers-paradise.com

 

DOTKACHEF EK:

• 02:54:55 UTC - 64.64.17.46 - www.brainsync.com - GET /administrator/components/com_swmenupro/images/80ce0a1954/?==wMw1mLulWYt9Vbzx3NwQDM0cTM1cTO0
  YTO2w3L0UTOxEGMlNGM48ycldWYtl2LvJHc15WZtd3cf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2Lt92YuMmb5NnbpFmci5yd3d3LvoDc0RHa8NnZ
• 02:55:09 UTC - 64.64.17.46 - www.brainsync.com - GET /administrator/components/com_swmenupro/images/80ce0a1954/?f=s&k=6964975174040710
• 02:55:11 UTC - 64.64.17.46 - www.brainsync.com - GET /administrator/components/com_swmenupro/images/80ce0a1954/?f=sm_main.mp3&k=6964975174040721

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2013-07-08-DotkaChef-EK-java-exploit.jar
File size:  28.8 KB ( 29491 bytes )
MD5 hash:  ba534bd5f1eab5a7f60511ecc22624e7
Detection ratio:  24 / 52
First submission:  2013-07-05 22:32:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4d56a3ac7602f6a0e4f84ed75d2c26afbdaabab1be79e1a617306f60eeebee26/analysis/

 

MALWARE PAYLOAD:

File name:  2013-07-08-DotkaChef-malware-payload.exe
File size:  250.5 KB ( 256512 bytes )
MD5 hash:  056bc904952f7a34741a5e15db6787bd
Detection ratio:  48 / 55
First submission:  2013-07-08 04:18:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d66e45dc52cb2fd6babc1f04d3dd5345d1d6facda6b482f16e16fcaec3523aff/analysis/

 

SNORT EVENTS

Screenshot of Emerging Threats rule hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

SCREENSHOTS FROM THE TRAFFIC

Script in first page delivered from the compromised website:

 

Redirect ponting to alnera.eu:

 

alnera.eu redirecting to DotkaChef EK landing page:

 

DotkaChef EK landing page with JJEncoded script ( Click here for a write-up from Kahu Security to learn more about JJEncoded script. ):

 

DotkaChef EK delivering the java exploit:

 

DotkaChef EK delivering the malware payload

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP file of the PCAP:  2013-07-08-DotkaChef-EK-traffic.pcap.zip
• ZIP file of the malware:  2013-07-08-DotkaChef-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.