SPL Exploit Kit

Drops ZeroAccess and RogueAV

Gates: Look for */?a=YWZmaWQ9MD* in the HTTP URI field

Can try regex for \/\?a=[a-zA-Z0-9]{15}

See examples of SPL Exploit Kit Gates on UrlQuery.net

Jar Payloads: Look for */analizator_data/*.jar or */spl_data/*.jar or */q_data/*.jar in the HTTP URI field. Can also regex uri field for: \/[a-z]{6,}\-a\.[a-z]{6,}\.jar$

See examples of SPL Exploit Kit Gates on UrlQuery.net

Alternatively you can regex on the jar file name:

\/[a-z]+\-[a-z]\.[a-z]+\.jar$

Examples:

/elpznnpljilqexy-a.vzxzdwznkkbd.jar
/bqicfvfiimgd-a.kfvrlwdb.jar
/ufatitkodjqfrf-a.qazyqcbllqbxti.jar

EXE payload is usually from different IP, try looking for */mestats in the HTTP URI field

Will have a content type of “text/html” instead of usual “application/octet-stream”

Comments are closed.