Kein Exploit Kit

I don’t know an official name for this one, very popular.

Dyndns Domains being used:

epac.to OR freetcp.com OR faqserv.com OR qpoe.com OR 2waky.com OR 1dumb.com OR ddns.info OR lflinkup.com

Regex for GATE:

\/((info\.php\?n=)?[0-9]{1,3}|n\/[0-9]{1,3})$

Kein EXE

HTTP Method = GET
Content-type = application/octet-stream
HTTP URI ends with &t=17

Examples:

11/27/2012 —

hxxp://holopopopopto.2waky.com/296 > REDIR
hxxp://voloporotoroko.epac.to/info.php?n=296 > GATE
hxxp://www3.tmbhptvzvrcf20.volpet.com/?djo5r=iN%2FYma%BppJOeluD…%3D
hxxp://www1.d-9jnw27k0kyhg0.volpet.com/j012ih8u?o8jec=k5nazd3S…
hxxp://www1.d-9jnw27k0kyhg0.volpet.com/14243362.js > MALJAVA
hxxp://www1.d-9jnw27k0kyhg0.volpet.com/i.html
hxxp:// www1.d-9jnw27k0kyhg0.volpet.com/AIcULzc.jar > MALJAR
hxxp://www2.cqndn7wz6ls929.ftp1.biz/?6q19=Wt…%3D%3D&t=17 > FAKE AV EXE

2/11/2013 —

hxxp://fywyzyra.1dumb.com/234
hxxp://gewybaiylu.epac.to/info.php?n=234
hxxp://www3.raefhr9.lflink.com/?zztn3d46uj=nu%2Fd0nCZaW2mkN3UppOamK3u5rHQZJxpmayepsegnYw%3D
hxxp://www1.hickt853.lflink.com/cvssncu?5mlo=WdbZ6Nimyd7tmZ5ZqtbQrJ2emqeaqJ5XcqCS0MrL1bPGjIBZoeCpoZyaieXndaypjb2S0dHNoNjTgXprW9DZ4KXV29fmqJZZmNCpxLuPzOaxamVrY6CdnZmfm6SlaWlZqOHN493coKear56XcqGjldzdz7PWaW1omKSgo86gmpzoq3JkaKOcpZmel6elXpmios7V3aXg3u2nZqeUntPU4aGXz9zgoaOeY9Db3I7h1eKxq5ynnNjP0Iw%3D
hxxp://www1.hickt853.lflink.com/38521319.js
hxxp://www1.hickt853.lflink.com/i.html
hxxp://www1.hickt853.lflink.com/UOCgxl.js
hxxp://www1.hickt853.lflink.com/EItyjW.jar > JAR
hxxp://www2.j7pmisoh79lr4c.gw./?67d365z=WprRl3Qa8s9d5dbNqKSdbmqF5qjPc5mVa2uYsZ5r1qSgkePbdGqfqGSZZ2yYZGdb5t10oqGakdDKvaupsIiuXKfNl3NooN1b&t=16 > EXE (application/octet-stream) scandsk.exe

4/19/2013 —

http://mueikewyse.ddns.info/103 (Redirect)
http://polcboqa.ddns.info/info.php?n=103 (302 + setcookie)
http://www3.v9bxsoqbypeupmtj.lflink.com/?jlbk=jtfVz7Nul6%2Bkld3Y…3D (302)
http://www1.i16sr1aitxkij5is5.lflink.com/4kang13?d0btuzg=iKbT6bLo1c%2BdoZnnnMWmqaC… (iframe redir)
http://www1.i16sr1aitxkij5is5.lflink.com/281fb5b.js
http://www1.i16sr1aitxkij5is5.lflink.com/i.html
http://www1.i16sr1aitxkij5is5.lflink.com/nEWQJKX.js
http://www1.i16sr1aitxkij5is5.lflink.com/Herlyn.jar (cve-2013-0431)
…/java/lang/ stuff…
http://www2.g17dvyv5lrdwq5gv2.lflink.com?ktxp1c35=j9fl1G7Iq5qNp5nIt…&t=17 (scandsk.exe)

See more examples of Kein Exploit Kit on UrlQuery.net

Comments are closed.