FlashPack Exploit Kit (SafePack)

This is a renaming of SafePack / CritX and @Kafeine has added details to his SafePack post here > http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

What i found interesting was that the old tag used to be something like \/[a-z][0-9]{6}[a-z]\/ that looked like it contained a date.

/a220213k/ > 22 02 13

Now its a bit different:

/bods2903bue/ > 29 03
/ab1905kloq/ > 19 05
/arok2905yer/ > 29 05
/aaz0406rrtw/ > 04 06

We can update some sigs as follows.

FlashPack Landing

HTTP Method = GET
HTTP URI contains /index.php?id=
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack PluginDetect

HTTP Method = GET
HTTP URI ends with /js/js.js
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack PluginDetect Response

HTTP Method = GET
HTTP URI contains /gate.php?ver=
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack JAR

HTTP Method = GET
HTTP URI contains /j15.php?i= OR /j16.php?i= OR /j17.php?i= OR /j07.php?i= OR /j161.php?i=
Content-type = application/java-archive
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

FlashPack EXE

HTTP Request Method = GET
HTTP URI contains “*/load.php?e=*”
Content-type = application/octet-stream
Regex HTTP URI for \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/

Comments are closed.