Neutrino at wafflehouse[.]com leads to ZeroAccess

Unfortunately this site has been infected for some time. Visitors coming from a search engine are greeted by a page with injected Javascript  that results in an iframe when decoded:

wafflehouse

ffhrzvpnfm.myftp[.]org/2c60cab741c433a70fb09861553d3cd2/ is a 302 redirect to eew8cee.steadygos[.]com:8000/rrspottvhu?drhivpwuc=7213044 where the landing page is delivered.
A copy for your review:[pastebin]

The landing page includes requests to a number of .css and .js files.

wafflehouse-landing

.jar file disguised as audio/mp4 content type: eew8cee.steadygos[.]com:8000/srovfzb?beldcluoox=esvnohvwidq
Followed by encoded payload disguised as video/mp4: eew8cee.steadygos[.]com:8000/zrzuuofl?bxbhgs=esvnohvwidq

wafflehouse-neutrino-audio-mp4wafflehouse-neutrino-video-mp4

POST to krismencia[.]com/blog/wp-content/themes/yoko/js/ads2.php with Content-Type: application/octet-stream
and fake User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

wafflehouse-neutrino-POST

A couple of failed attempts to download additional binaries:
404’d (possibly cleaned): www.eyespypro[.]com/faq/templates/InterspireShoppingCart/Backup/Snippets/main/data/chng.exe
www.eyespypro[.]com/faq/templates/InterspireShoppingCart/Backup/Snippets/main/data/soft.exe

403’d (possibly cleaned):
www.yanasa.co[.]jp/ActiveKB/templates/Corporate/Images/Category/main/data/chng.exe
www.yanasa.co[.]jp/ActiveKB/templates/Corporate/Images/Category/main/data/soft.exe

And finally some success from cyberlandia[.]org/pacorubio/images/iconos-Fotografias-enlaces/main/data/chng.exe and cyberlandia[.]org/pacorubio/images/iconos-Fotografias-enlaces/main/data/soft.exe

wafflehouse-neutrino-chngwafflehouse-neutrino-soft

Shortly after geolocation using j.maxmind.com/app/geoip.js was observed followed by initial contact with known ZeroAcess CnC at 194.165.17.4 and P2P communications to destination port 16464.

At the time of this encounter ffhrzvpnfm.myftp[.]org was at  82.146.44.96 and eew8cee.steadygos[.]com at 212.83.136.198.

VirusTotal:

.jar:
https://www.virustotal.com/en/file/46ec4d7874c8a5c5c1f67e3a3c9a16dbccd80c9ad26a0172870b8db3858bb9c2/analysis/1386834660/

change.exe:
https://www.virustotal.com/en/file/15ddb357bd3411d3215b95d560b2161afbb02ffe85811c3f76138e6dc4531acd/analysis/1386834357/

soft.exe:
https://www.virustotal.com/en/file/1fdbec8a5bbfef505c431db57b6f7928cfc7b3d3e478c9721ec39403fa04a2b7/analysis/1386834485/