For background information on “cookiebomb” injection I recommend these excellent posts:
And as always, please use care when visiting any of the sites in this post.
Behind the scenes the iframe constructed from the obfuscated “cookiebomb” injection code first leads to 184.108.40.206/cart/LNPgnbtH.php.
Followed by redirects to https://www[.]islandgirlactivities.com/cart/LNPgnbtH.php
then finally the landing page at kennethcolenyoutlet[.]com/topic/successful_records.php.
Where the malicious .jar and binaries it downloads are pulled from:
After infection a check in is made via POST to kennethcolenyoutlet[.]com/forum/viewtopic.php (note Content- Type and Encoding):
Followed by four attempts to download the same binary from different sources:
After the binaries were received a request to microsoft.com was observed to be directed to 220.127.116.11 in The Netherlands. (This appears to be a Medfos connectivity check using the forged User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0):
And finally another request to www.my-debugbar[.]com with 200 response but no data:
At this point UDP traffic originating from port 6674 was observed communicating with a number of ISP hosts, possibly Zeus P2P.
nestsh firewall show portopening shows UDP 6674 and TCP 5830 have been enabled.
bm6dog.exe, N6iU.exe and uexgRF.exe: https://www.virustotal.com/en/file/ae378145e31c70f376d97a60274b4b3b5744fdbad008c722c074911e68f1865f/analysis/
- POST to URI path “/forum/viewtopic.php” with Content-Type: application/octet-stream and Content-Encoding: binary
- Requests to www.microsoft.com/uploading/id= with forged user agent, followed by an increase in UDP traffic to ISP destinations.
- fortunately none of the binaries are encoded so standard executable detections should pick those up.