As there has already been some great analysis on the kit and this encounter seems typical, I’ll make this a quick analysis for awareness.
For this encounter, Java archive (CVE-2013-2465) was delivered from: jkpkgwxlptwwfclbmjjl.is-an-artist[.]com:8000/rvwkskfbg?jtfbutsheuvn=pknhvwcmvfw
Followed by the encoded payload: jkpkgwxlptwwfclbmjjl.is-an-artist[.]com:8000/fzolglbluiwqe?jipmjvm=pknhvwcmvfw
(as noted by malwaremustdie, this kit makes a number of requests for .css and various image files; all junk and not worth wasting time on but it’s good to be aware of this behavior as it appears to be an attempt to deceive analysts and pose as interactions with a legitimate site.)
Geolocation using j.maxmind.com/app/geoip.js seen immediately after binary download.
Followed by initial communication with known ZeroAccess CnC at 22.214.171.124.
* With this encounter I observed an errant Java request for /META-INF/services/javax.xml.datatype.DatatypeFactory from the compromised domain.
Not sure if this is unique to this encounter or a potential indicator.