CritXPack Exploit Kit

CritXPack currently uses a semi-static tag in the URI that you can regex for.

\/[a-z][0-9]{6}[a-z]\/

See Examples of CritXPack Exploit Kit on UrlQuery.net

GATE

HTTP Request Method = GET
HTTP URI = */i.php?token=* OR */in.php?jquery=*

See examples of CritxPack GATE urls on UrlQuery.net

Plugin Detect

HTTP Request Method = GET
Content Type = application/javascript
HTTP URI = */js/pd.js OR */js/rdps.js

See CritxPack Plugin Detect examples on UrlQuery.net

MALPDF

HTTP Request Method = GET
Content Type = application/pdf
HTTP URI = “*/p5.php?t=*”

See Examples of CritXPack Exploit Pack PDFs on UrlQuery.net

MALJAR

HTTP Request Method = GET
Content Type = application/java-archive
HTTP URI = */j.php?t=u00* OR */j15.php?i=* OR */j16.php?i=* OR */j17.php?i=*

See CritxPack MalJAR on UrlQuery.net

CVE-2012-4792

HTTP Request Method = GET
Regex HTTP URI for “\/[a-z][0-9]{6}[a-z]?\/”
HTTP URI = */i8.php?jquery=*

EXE

HTTP Request Method = GET
Content Type = application/octet-stream
Regex HTTP URI for “\/[a-z][0-9]{6}[a-z]?\/”
HTTP URI = “*/load.php?e=*”

See examples of CritXPack EXEs on UrlQuery.net

Examples:

http://magrety.herapid.org/b081112s/i.php > GATE
http://magrety.herapid.org/b081112s/js/pd.js > MALJS
http://magrety.herapid.org/b081112s/p5.php? t=u0059u0053u0072u0074u0035u0044u0072u0072u0035u0031&oh=ZFhYT3N6ekxGakhpWFo5ZGQTRERHVNw… > PDF
http://magrety.herapid.org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0031u0072u0072 > JAR
http://magrety.herapid.org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074& >

babos.scrapping.cc/v211112n/i.php?token=forum > GATE
babos.scrapping.cc/v211112n/js/pd.js > MALJS
babos.scrapping.cc/v211112n/p5.php?t=u0059u0053u0072u0053u0072u006cu0035u0031u0035u0041&oh=ZFhYT3N6emxGbFVCOUJXSEZPTzY9ajlXV3poWSMjIyNZPXpvVUZmOU9kT1JpTTREREFENEREclM0RERycnBYVVBpPU00RERycjRERHJrNEREMVk0REQxQTRERHJmcA== > MALPDF
babos.scrapping.cc/v211112n/j.php?t=u0059u0053u0072u0053u0072u006cu0035u0031u0035u0041 > MALJAR
babos.scrapping.cc/v211112n/load.php?e=u004au0061u0076u0061&token=u0066u006fu0072u0075u006d& > MALEXE

References:

http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html
CritXPack on Malwaredomainlist.com

Comments are closed.