BEK2 Variant 4

GATE

HTTP Request Method = GET
HTTP URI contains */index.php?*
Regex HTTP URI for “^http:\/\/[a-f0-9]{16}\.[a-z0-9-.]+?\/index\.php\?[a-z]=[a-zA-Z0-9]{150,}(={1,2})?$”

Deob Stuff / Build iframe / Plugindetect

HTTP Request Method = GET
HTTP URI = */sort.php OR */info/last/index.php
Regex HTTP URI for “^http:\/\/[0-9a-f]{25,65}\.”

See examples of /info/last/index.php on UrlQuery.net
See examples of /sort.php on UrlQuery.net

JAR

HTTP Request Method = GET
HTTP URI contains */info/last/index.php*
Content-type = application/java-archive
Regex HTTP URI for “\.php\?[a-z]{3,8}=[a-z]{3,8}&[a-z]{3,8}=[a-z]{3,8}$”

OR

HTTP Request Method = GET
HTTP URI contains */info/finance/*.jar
Content-type = application/java-archive

PDF

HTTP Request Method = GET
HTTP URI contains */info/last/index.php*
Content-type = application/pdf
Regex HTTP URI for “([1-3][a-z0-9]):{9}[1-3][a-z0-9]”

EXE *Currently works for all BEK2 Variants that i’m aware of*

HTTP Request Method = GET
HTTP URI contains *.php?*
Content-type = application/x-msdownload
Regex HTTP URI for “([1-3][a-z0-9]):{9}[1-3][a-z0-9]”

EXIT/TIMEOUT REDIR

HTTP Request Method = GET
HTTP URI contains */exit.php*
Regex for “^http:\/\/[0-9a-f]{25,65}\.”

Example Chain:

hxxp://345bd0d9d7a281cf.akafi .net/index.php?o=anM9MSZrZ3l1dHJmZj1neXZkJnRpbWU9MTMwMTI5MTUyMy02NDc4ODcyNzYmc3JjPTI0JnN1cmw9d3d3LmxpbmhhcXVlbnRlLmNvbSZzcG9ydD04MCZrZXk9RTg2NDdFMDYmc3VyaT0vbGluaGFxdWVudGVibG9nLmpz > Gate / build urls
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/sort.php > Write iframe / deob urls in base 64
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php > Plugin Detect
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?zqqwgarw=nib&sndecry=qqub > JAR
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?njks=1l:33:1j:33:2w&ogb=3h&ebkh=1l:32:1j:2v:33:2v:1h:1h:1i:1n&rtg=1n:1d:1g:1d:1h:1d:1f > PDF
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/exit.php?x=24&t=onunload > Send victim elsewhere
hxxp://www.freemilfpassport.com/?t=113244,1,99,0 > Popover pr0n
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?auivnl=1l:33:1j:33:2w&lak=1l:32:1j:2v:33:2v:1h:1h:1i:1n&udkdh=1i&xozzwtj=psf&pmemeyb=smemh > EXE (Java)

Comments are closed.