Unknown JAR downloads ZA

Paste of code that was found inline on a compromised site.

Just a jar that downloads an exe very quickly. Drops ZA. Seems to like port 8080.

Jar file is 1/46 on VT.

JAR

HTTP Request Method = GET
Content Type = application/x-java-archive
Regex HTTP URI for “\/[0-9]{10}\/[0-9]{5}$”

Examples:

http://208.107.94.166:8080/6983672332/25996
http://41.78.37.146:8080/4634192430/48306
http://78.93.200.98:8080/2536701818/24556

EXE

HTTP Request Method = GET
Content Type = application/octet-stream
Regex HTTP URI for “\/[0-9]{5}$”

Examples:

http://78.93.200.98:8080/15392
http://78.93.38.140:8080/11282

See more examples on UrlQuery.net

Comments are closed.