2013-07-08 - DOTKACHEF EK FROM 64.64.17.46 - WWW.BRAINSYNC.COM
PCAP AND MALWARE:
- ZIP file of the PCAP: 2013-07-08-DotkaChef-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-07-08-DotkaChef-EK-malware.zip
NOTES:
- This was my secon dblog entry, back when I began documenting exploit kit (EK) traffic, and I didn't realize this was DotkaChef EK.
- On 2014-09-20, I updated this blog entry with more information, and changed the format to how I now report EK traffic.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 94.76.245.25 - spammers-paradise.com - Compromised website
- 103.31.186.94 - alnera.eu - Redirect
- 64.64.17.46 - www.brainsync.com - DotkaChef EK
COMPROMISED WEBSITE AND REDIRECT CHAIN:
- 02:54:54 UTC - 94.76.245.25 - spammers-paradise.com - GET /forums/
- 02:54:54 UTC - 94.76.245.25 - spammers-paradise.com - GET /forums/index.php?ipbv=72bcf32f255785cd07d351aceecf1eaa&charset=UTF-8&f=public/js/ips.quickpm.js&c=1
- 02:54:55 UTC - 103.31.186.94 - alnera.eu - GET /F39BC8C5.js?cp=spammers-paradise.com
DOTKACHEF EK:
- 02:54:55 UTC - 64.64.17.46 - www.brainsync.com - GET /administrator/components/com_swmenupro/images/80ce0a1954/?==wMw1mLulWYt9Vbzx3NwQDM0cTM1cTO0
YTO2w3L0UTOxEGMlNGM48ycldWYtl2LvJHc15WZtd3cf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2Lt92YuMmb5NnbpFmci5yd3d3LvoDc0RHa8NnZ - 02:55:09 UTC - 64.64.17.46 - www.brainsync.com - GET /administrator/components/com_swmenupro/images/80ce0a1954/?f=s&k=6964975174040710
- 02:55:11 UTC - 64.64.17.46 - www.brainsync.com - GET /administrator/components/com_swmenupro/images/80ce0a1954/?f=sm_main.mp3&k=6964975174040721
PRELIMINARY MALWARE ANALYSIS
JAVA EXPLOIT:
File name: 2013-07-08-DotkaChef-EK-java-exploit.jar
File size: 28.8 KB ( 29491 bytes )
MD5 hash: ba534bd5f1eab5a7f60511ecc22624e7
Detection ratio: 24 / 52
First submission: 2013-07-05 22:32:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/4d56a3ac7602f6a0e4f84ed75d2c26afbdaabab1be79e1a617306f60eeebee26/analysis/
MALWARE PAYLOAD:
File name: 2013-07-08-DotkaChef-malware-payload.exe
File size: 250.5 KB ( 256512 bytes )
MD5 hash: 056bc904952f7a34741a5e15db6787bd
Detection ratio: 48 / 55
First submission: 2013-07-08 04:18:02 UTC
VirusTotal link: https://www.virustotal.com/en/file/d66e45dc52cb2fd6babc1f04d3dd5345d1d6facda6b482f16e16fcaec3523aff/analysis/
SNORT EVENTS
Screenshot of Emerging Threats rule hits from Sguil on Security Onion (without ET POLICY or ET INFO events):
SCREENSHOTS FROM THE TRAFFIC
Script in first page delivered from the compromised website:
Redirect ponting to alnera.eu:
alnera.eu redirecting to DotkaChef EK landing page:
DotkaChef EK landing page with JJEncoded script ( Click here for a write-up from Kahu Security to learn more about JJEncoded script. ):
DotkaChef EK delivering the java exploit:
DotkaChef EK delivering the malware payload
FINAL NOTES
Once again, here's the PCAP of the traffic and ZIP file of the malware:
- ZIP file of the PCAP: 2013-07-08-DotkaChef-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-07-08-DotkaChef-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.