malvertising at lead to DotkaChef EK

Found this on –  seems to target US.

Whois Server:
Referral URL:
Name Server: NS0.TRANSIP.NET
Name Server: NS1.TRANSIP.NL
Name Server: NS2.TRANSIP.EU
Status: ok
Updated Date: 11-feb-2013
Creation Date: 10-feb-2010
Expiration Date: 10-feb-2014

Registrant Contact: P-JUG1066
Registrant Organization:
Registrant Name: J Gruter
Registrant Street: Bonnikestraat 76
Registrant City: Hilversum
Registrant Postal Code: 1222 EN
Registrant State:
Registrant Country: NL
Registrant Phone: +31.629066368
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:

Some dollars / brackets code – Avast have already blogs about this :


then Exploit kit – my knowledge about EK is limited but seems to be Dotka Chef EK 🙂aduserver_malvert
aduserver_malvert2 Malzilla is able to decode easly :aduserver_malvert3 aduserver_malvert4

EK seems to be hosted on hacked website and the redirection made by is randomly, probably from a pool.aduserver_malvert5

I was not able to get the payload – seems buggy.
Detection are average – have no detection – as there is bracket/dollar code on it – it probably belongs to malware gus.

Ratio de détection :3 / 51
Date d’analyse :2013-12-04 12:53:45 UTC (il y a 0 minute)
Analyse de fichier :Allez à l’analyse du fichier téléchargé

BitDefender Malware site
Fortinet Malware site
Sophos Malicious site


Bracket / dollar code of the EK :

Nom du fichier :bla.txt
Ratio de détection :1 / 47
Date d’analyse :2013-12-04 13:02:39 UTC (il y a 9 minutes)

Sophos Troj/ExpJs-JZA 20131204


Gonna ping some AV to add some detections 🙂

(Visité 8 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Les Tags : #Windows10 - #Windows - #Tutoriel - #Virus - #Antivirus - #navigateurs WEB - #Securité - #Réseau - #Internet