Unknown Exploit Kit (32Char Hex)

This looks like NeoSploit to me. Any confirmation or assistance would be much appreciated. (Likely Popads)

Chain:

http://www.indiandefence.com/forums/indian-defence-industry/2775-bel-developing-software-defined-radio.html Compromised site (must be referred from google)
http://gfxet.18flibosters.com/?5d60e92b8cd6d36f921cde3682194dbd=15&397b4250de951041c69eaab0f0cb979a=indiandefence.com
http://gfxet.18flibosters.com/130dd10026f2bdd30eec146d70112a6f.eot > Duqu Font Drop
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/82fc47de539aa72b0283bbef826abce2.jar > MalJAR
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/0 > XOR encoded exes…(text/html)
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/1
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/2
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/3
http://gfxet.18flibosters.com/a824e75bc82d7dc0318ee725baa39201/4

Sigs:

HTTP Request Method = GET

Gate: \/\?[a-f0-9]{32}=[0-9]+&[a-f0-9]{32}=
See More Examples on UrlQuery.net
EOT: \/[a-f0-9]{32}\.eot$
JAR: \/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$
See More Examples on UrlQuery.net
EXEs: \/[a-f0-9]{32}\/[0-9]$
See More Examples on UrlQuery.net

Drops ZeroAccess, UDP P2P

Post Compromise ZA Indicators:

POST /CallBack/SomeScripts/mgsNewPeer.php HTTP/1.0
POST /CallBack/SomeScripts/mgsGetMGList.php HTTP/1.0
POST /CallBack/SomeScripts/update34.php HTTP/1.0

Sigs:

HTTP Request Method = POST
HTTP Uri = */CallBack/SomeScripts/*

Comments are closed.