malvertising at aduserver.com lead to DotkaChef EK

Found this on http://www.alldirtyteens.com/ –  seems to target US.

http://ad.aduserver.com/www/delivery/spcjs.php?id=41&block=1&blockcampaign=1&target=_blank
http://ad.aduserver.com/www/delivery/spc.php?zones=122%7C123%7C124%7C125%7C126%7C127%7C128%7C129%7C130&source=&r=48221909&block=1&blockcampaign=1&target=_blank&charset=utf-8&loc=http%3A//www.alldirtyteens.com/hosted-id841-perfect-pussy-and-body-for-a-fuck.html&referer=http%3A//realhomesex.net/leftads.html
http://ad.aduserver.com/www/delivery/fl.js
http://dimecut.eu/5b22f446.js?cp=ad.aduserver.com

Domain Name: ADUSERVER.COM
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Referral URL: http://www.key-systems.net
Name Server: NS0.TRANSIP.NET
Name Server: NS1.TRANSIP.NL
Name Server: NS2.TRANSIP.EU
Status: ok
Updated Date: 11-feb-2013
Creation Date: 10-feb-2010
Expiration Date: 10-feb-2014

Registrant Contact: P-JUG1066
Registrant Organization:
Registrant Name: J Gruter
Registrant Street: Bonnikestraat 76
Registrant City: Hilversum
Registrant Postal Code: 1222 EN
Registrant State:
Registrant Country: NL
Registrant Phone: +31.629066368
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jasper@gruter.net

Some dollars / brackets code – Avast have already blogs about this : https://blog.avast.com/2013/02/14/malware-dollar-equals-tilde-square-brackets/

aduserver_malvert0

then Exploit kit – my knowledge about EK is limited but seems to be Dotka Chef EK 🙂aduserver_malvert
aduserver_malvert2 Malzilla is able to decode easly :aduserver_malvert3 aduserver_malvert4 EK seems to be hosted on hacked website and the redirection made by dimecut.eu is randomly, probably from a pool.aduserver_malvert5
http://dimecut.eu/5b22f446.js?cp=ad.aduserver.com
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?==wMw1mLulWYt9VbzxHN3IDM3YTM0IDM5IjMzw3L2QDOyQGO2gjYi9SeyVGbsF2Zwd3Lz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dv02bj5ycuFmZpNXYkF2c1t2LvoDc0RHa8NnZ
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410
http://kusadasifans.com/wp-includes/js/tinymce/plugins/wpgallery/bb868d2846/?f=s&k=3229024167027410

I was not able to get the payload – seems buggy.
Detection are average – ad.aduserver.com have no detection – as there is bracket/dollar code on it – it probably belongs to malware gus.

https://www.virustotal.com/fr/url/337f84acea1c953b2d3b2d22f4315fa698a4cf058233872ee489f0cad5d9df99/analysis/1386161625/

URL:http://dimecut.eu/5b22f446.js?cp=ad.aduserver.com
Ratio de détection :3 / 51
Date d’analyse :2013-12-04 12:53:45 UTC (il y a 0 minute)
Analyse de fichier :Allez à l’analyse du fichier téléchargé

BitDefender Malware site
Fortinet Malware site
Sophos Malicious site

~~

Bracket / dollar code of the EK : https://www.virustotal.com/en/file/2976afcb73d0783919f030d510beda14a9bc6e18e16d003dce56d648b9e2f79b/analysis/1386162159/

SHA256:2976afcb73d0783919f030d510beda14a9bc6e18e16d003dce56d648b9e2f79b
Nom du fichier :bla.txt
Ratio de détection :1 / 47
Date d’analyse :2013-12-04 13:02:39 UTC (il y a 9 minutes)

Sophos Troj/ExpJs-JZA 20131204

 

Gonna ping some AV to add some detections 🙂

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 35 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *