Unknown Exploit Kit (a036719)

Please message me via twitter if you know a name for this exploit kit.

Example Exploit Chain

mp3musparade.com/ > Compromised Site
052x.de.ms/in.php?s=1 > Redir
sjkwoyusi.sendsmtp.com/a036719
sjkwoyusi.sendsmtp.com/031336kyt/sivw7295301.html?a036719
sjkwoyusi.sendsmtp.com/01891404/lwq92536?a036719
sjkwoyusi.sendsmtp.com/01891404/omn67 > JAR
sjkwoyusi.sendsmtp.com/01891404/929220175 > PDF
sjkwoyusi.sendsmtp.com/01891404/Ini.class
sjkwoyusi.sendsmtp.com/01891404/Ini/class.class
sjkwoyusi.sendsmtp.com/01891404/967261005 (content-type is image/jpeg) > ZBOT EXE

HTTP Request Method = GET
HTTP URI contains a036719 or a2ca0dfa or /01891404/ or /omn67

Has been seen utilizing dynamic domains “jungleheart.com”, “sendsmtp.com”, and “itemdb.com”

See examples of a036719 on UrlQuery.net

See examples of /01891404/ or UrlQuery.net

Comments are closed.