For excellent background info on Dotcachef, please see the following posts:
thmm[.]com hosts content for Sonoma Valley news site news.sonomaportal[.]com.
Copy at [pastebin] for your review.
*Although .xn--p1ai appears to be an odd domain it is in fact the Cyrillic country code TLD .рф or .rf for Russian Federation [wikipedia]
I found a useful online tool that will convert the domain punycode into it’s Cyrillic form at mct.verisign-grs.com
In this case xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai converts to форум.ооои-брс[.]рф and appears to be a legitimate site that has been compromised.
- .jar (CVE-2013-1493): xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?f=s&k=5567341519056311
- payload: xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?f=sm_main.mp3&k=5567341519056322
*Several requests for app.jnlp were observed but they were met with 404’s, possibly a misconfiguration as they were requested from news.sonomaportal[.]com. In this case they would have been ineffective as I was using JRE 6.24.
Note binary payload disguised as audio/mpeg content type.
Shortly after the payload was delivered, traffic to known ZeroAccess CnC at 188.8.131.52 was observed.
At the time of this encounter ecolup.biz resolved to 184.108.40.206.
Passive DNS show a few other suspect domains with that IP.
xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai (форум.ооои-брс[.]рф) resolved to 220.127.116.11.