Flashpack /svoykrik/ Variant

Flashpack is still around. Has been seen recently being delivered with ads.

Observed IP Addresses:

198.98.121.245
108.171.205.105
46.254.21.128
50.2.53.150

GATE

HTTP Method = GET
HTTP URI contains */svoykrik/gate.php?id=*&callback=__JSONP__0
Regex HTTP for id=[0-9]{20,}

JAR

HTTP Method = GET
HTTP URI contains */svoykrik/jete/*
User Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP for \/[a-f0-9]{32}\.jar$

EXE

HTTP Method = GET
HTTP URI contains */svoykrik/*
User Agent = *Java/1.*
Regex HTTP for \.php\?cashe=[0-9]{20}$

Comments are closed.