Author Topic: Phoenix kits  (Read 5972 times)

0 Members and 1 Guest are viewing this topic.

December 01, 2011, 05:51:51 pm
Read 5972 times

pktguy

  • Jr. Member

  • Offline
  • **

  • 39

December 01, 2011, 06:20:49 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Are you sure that it is Phoenix ?

I'm looking for the name.

http://www.malwaredomainlist.com/forums/index.php?topic=4695.0

I still have the problem that it always returns 404 only.
Ruining the bad guy's day

December 01, 2011, 06:54:20 pm
Reply #2

pktguy

  • Jr. Member

  • Offline
  • **

  • 39
It triggered Emerging Threats rule "ET CURRENT_EVENTS Phoenix URI Requested Contains /? and hex", so I am assuming that's what it is.  I hit the URL from inside a sandbox which caused it download several .jar files and finally loaded zeroaccess.  You can see where it tried to load the applets in the SetInnerHTML section of http://urlquery.net/report.php?id=10179