Dotcachef exploit kit at thmm[.]com delivering ZeroAccess


For excellent background info on Dotcachef, please see the following posts:

thmm[.]com hosts content for Sonoma Valley news site news.sonomaportal[.]com.
Upon visiting news.sonomaportal[.]com after clicking through a Google search result, Javascript at ecolup[.]biz/aea479a1.js? is executed which results in a 302 redirect to the landing page at xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?=MDct5ibpFWbf12c8NjN1ATOxUTM0MzN2UTN89iZ1kDZ2MTZ2ATYvM3cj9yct9yclxWaG5WarN1c19Wa2Vmcw9SZoNWYj9SahFDct0ib45SayFWY4RnY0JWLt0SLuhnLj12ZkFWMs1SLuh3LvoDc0RHa8NnZ

Copy at [pastebin] for your review.


*Although .xn--p1ai appears to be an odd domain it is in fact the Cyrillic country code TLD .рф or .rf for Russian Federation [wikipedia]

I found a useful online tool that will convert the domain punycode into it’s Cyrillic form at
In this case xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai converts to форум.ооои-брс[.]рф and appears to be a legitimate site that has been compromised.

  • .jar (CVE-2013-1493): xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?f=s&k=5567341519056311
  • payload: xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?f=sm_main.mp3&k=5567341519056322

*Several requests for app.jnlp were observed but they were met with 404’s, possibly a misconfiguration as they were requested from news.sonomaportal[.]com. In this case they would have been ineffective as I was using JRE 6.24.


Note binary payload disguised as audio/mpeg content type.


Shortly after the payload was delivered, traffic to known ZeroAccess CnC at was observed.



At the time of this encounter resolved to
Passive DNS show a few other suspect domains with that IP.

xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai (форум.ооои-брс[.]рф) resolved to