Private Exploit Pack

@Kafeine has a complete writeup here. > http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html

This is very similar in URI structure to something found by @Set_Abominae. > http://pastebin.com/5LMq56bA

Chain:

/blog/post.php?name=lB5Uenr4V&id=57216084&page=730
/blog/js/PluginDetect.js
/blog/xwncgmxctx.php?x=3547129&id=57216084
/blog/xwncgmxctx.php?x=5512027&id=57216084 > JAR
/blog/com.class
/blog/net.class
/blog/org.class
/blog/edu.class
/blog/icakinsoef.php?x=5512027&id=57216084 > EXE

Private Exploit Pack JAR

HTTP Method = GET
User Agent = *Java/1.*
Content-Type = application/x-java-archive
Regex HTTP URI for \.php\?[a-z]+=[0-9]+&[a-z]+=[0-9]+$

Private Exploit Pack EXE

HTTP Method = GET
User Agent = *Java/1.*
Content-Type = application/octet-stream
Regex HTTP URI for \.php\?[a-z]+=[0-9]+&[a-z]+=[0-9]+$

Comments are closed.