malvertising at lead to DotkaChef EK

Found this on -  seems to target US.

Whois Server:
Referral URL:
Name Server: NS0.TRANSIP.NET
Name Server: NS1.TRANSIP.NL
Name Server: NS2.TRANSIP.EU
Status: ok
Updated Date: 11-feb-2013
Creation Date: 10-feb-2010
Expiration Date: 10-feb-2014

Registrant Contact: P-JUG1066
Registrant Organization:
Registrant Name: J Gruter
Registrant Street: Bonnikestraat 76
Registrant City: Hilversum
Registrant Postal Code: 1222 EN
Registrant State:
Registrant Country: NL
Registrant Phone: +31.629066368
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]

Some dollars / brackets code - Avast have already blogs about this :


then Exploit kit - my knowledge about EK is limited but seems to be Dotka Chef EK 🙂aduserver_malvert
aduserver_malvert2 Malzilla is able to decode easly :aduserver_malvert3 aduserver_malvert4 EK seems to be hosted on hacked website and the redirection made by is randomly, probably from a pool.aduserver_malvert5

I was not able to get the payload - seems buggy.
Detection are average - have no detection - as there is bracket/dollar code on it - it probably belongs to malware gus.

Ratio de détection : 3 / 51
Date d'analyse : 2013-12-04 12:53:45 UTC (il y a 0 minute)
Analyse de fichier : Allez à l'analyse du fichier téléchargé

BitDefender Malware site
Fortinet Malware site
Sophos Malicious site


Bracket / dollar code of the EK :

SHA256: 2976afcb73d0783919f030d510beda14a9bc6e18e16d003dce56d648b9e2f79b
Nom du fichier : bla.txt
Ratio de détection : 1 / 47
Date d'analyse : 2013-12-04 13:02:39 UTC (il y a 9 minutes)

Sophos Troj/ExpJs-JZA 20131204


Gonna ping some AV to add some detections 🙂

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.