Malware-Traffic-Analysis.net - A malware traffic analysis blog 2014-01-31

2014-01-31 - DOTKACHEF EK

ASSOCIATED FILES:

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

PREVIOUS ENTRY ON DOTKACHEF EK:

2014-01-10 - Dotkachef EK

TRAFFIC

ALERTS:

02:39:22 UTC - 192.185.52[.]100:80 - ET INFO JJEncode Encoded Script
02:39:22 UTC - 192.185.52[.]100:80 - ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)
02:39:39 UTC - 192.185.52[.]100:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
02:39:39 UTC - 192.185.52[.]100:80 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
02:39:39 UTC - 192.185.52[.]100:80 - ET INFO JAVA - Java Archive Download By Vulnerable Client
02:39:41 UTC - 192.185.52[.]100:80 - ET POLICY PE EXE or DLL Windows file download
02:39:41 UTC - 192.185.52[.]100:80 - ET TROJAN EXE Download When Server Claims To Send Audio File - Must Be Win32
02:39:41 UTC - 192.185.52[.]100:80 - ET POLICY Java EXE Download
02:39:41 UTC - 192.185.52[.]100:80 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby

ASSOCIATED DOMAINS

91.120.22[.]137 - www.bbj[.]hu - Compromised website
103.31.186[.]40 - seris[.]biz - Redirect domain
192.185.52[.]100 - www.auburnhaircolor[.]com - DotkaChef EK domain

INFECTION CHAIN OF EVENTS

02:39:16 UTC - 91.120.22[.]137 - www.bbj[.]hu - GET /
02:39:21 UTC - 103.31.186[.]40 - seris[.]biz - GET /cbe2a33e.js?cp=www.bbj[.]hu
02:39:22 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?=M
Dct5iYw5Gf2AjMwITNxQTM5ETO5MDfvQDM1UzMxEmNkFzLiJjMkBTYwEmYz8yZtl2Ll1WZoR3Xwd3Lz5WarN3LkV2YuFmdkF2LzVWblhGdvU2YtlnbpR3Lzp
2LzVGZ1x2YulWLwd3Lt92YuI3bs92YylWYo5mc1JWdh5yd3d3LvoDc0RHa8NnZ
02:39:38 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=s&k=3991914152020613
02:39:39 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=a&k=3991914152020635
02:39:39 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=s&k=3991914152020613
02:39:39 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=a&k=3991914152020635
02:39:39 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=s&k=3991914152020613
02:39:39 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=a&k=3991914152020635
02:39:40 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=s&k=3991914152020613
02:39:40 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=s&k=3991914152020613
02:39:40 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=s&k=3991914152020613
02:39:40 UTC - 192.185.52[.]100 - www.auburnhaircolor[.]com - GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/3ba0a0d22b/1d6a135504/?f=npb.mp3&k=3991914152020646

File name: 2014-01-31-DotkaChef-java-exploit.jar
File size: 11,039 bytes
MD5 hash: 3aa7cb2d4f808919f507fc9eca1a43d8
Virus Total link: https://www.virustotal.com/en/file/983d843249c19194332205c4c343f356512295a703382140d5948158f793b6b8/analysis/
Detection ratio: 4 / 46
First submission to VirusTotal: 2014-01-30 13:42:12 UTC

File name: 2014-01-31-DotkaChef-EXE-payload.exe
File size: 92,887 bytes
MD5 hash: 7ccefe3039a0c7c65ee3a532e7699b9a
Virus Total link: https://www.virustotal.com/en/file/9ebe114525fa6381aa3d518f491e3f2e0b2fe960b15a855608e7ca95231da5a2/analysis/
Detection ratio: 27 / 50
First submission to VirusTotal: 2014-01-30 22:07:25 UTC

Click here to return to the main page.