NOTE: Information is based on a sample captured on 2013-10-02
I'm not sure if definition 'exploit kit' is actually applicable here. Yes, there is an exploit code copied from PSA(Packet Storm Advisory) for 'CVE-2013-2465', but I'd expect more code around it before calling it a 'kit' and I can't imagine there is a server side code exist. There is no any sort of environment validation: plugins and their version identification, initial payload encryption, data encoding, code obfuscation. Base64 encoding is used just once to 'hide' a single string. So, another 'interesting' work.
URL pattern is short and simple.
The landing page is also short and simple.
The parameter name is the first hint to the possible origins of this Java exploit. 'kurban' translated from Turkish means 'victim'. The value held by this parameter is the Initial Payload location.
JAR file is 'packed' with goodies. The execution begins with an attempt to exploit 'CVE-2013-2465' vulnerability.
|Source/Credits:||Live Fiddler capture|
|Infection vectors detected:||Java|
|Transfer mode:||plain text|
|Java infection vector|
|Captured with:||Direct download - Firefox/14.0.1|
|JAR hidden content:||None|
|Initial Payload delivery method:||URL|
|Initial Payload encryption/encoding:||No|
|Initial Payload store location:||Default temporary-file directory|
|Initial Payload filename:||Hardcoded - 'thefire.exe'|
|Adobe infection vector|
|Captured with:||Not implemented|
|Initial Payload delivery method:|
|Initial Payload store location:|
|Initial Payload filename:|
Java JAR - virustotal.com
No sample available
Possibly originated from Turkey or the author speaks Turkish