Slight changes in RedKit URI

Finally seeing some changes/customization in Redkit payloads, a departure from the static files.

vivianmastrangelo.com/atnf.htm
vivianmastrangelo.com/pqo.jar
vivianmastrangelo.com/11.html > encoded (application/octet-stream)

chelscore.com/wtpp.html
chelscore.com/jce.jar
chelscore.com/55.html > encoded (application/octet-stream)

JAR

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[a-z0-9]{3}\.jar$

Confirmed by @node5 and @xanda on twitter

EXE

HTTP Method = GET
Content-Type = application/octet-stream
HTTP Destination = *.html
User-Agent = *Java/1.*

Regex HTTP URI for \/[0-9]{2}\.html$ <-- Optional

Comments are closed.