Technical Information
Malicious functions
Creates and executes the following (exploit)
- '%APPDATA%\microsoft\addins\y1g9i2m9.exe'
- '%APPDATA%\microsoft\addins\b8g8p1m6.exe'
Executes the following (exploit)
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\B2W9J5B3.txt %APPDATA%\Microsoft\AddIns\Y1G9I2M9.exe
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\F9W6F4O1.txt %APPDATA%\Microsoft\AddIns\B8G8P1M6.exe
Modifies file system
Creates the following files
- %APPDATA%\microsoft\addins\b2w9j5b3.txt
- %APPDATA%\microsoft\addins\y1g9i2m9.exe
- %APPDATA%\microsoft\addins\f9w6f4o1.txt
- %APPDATA%\microsoft\addins\b8g8p1m6.exe
Network activity
Connects to
- '34.##.136.217':1335
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\B2W9J5B3.txt %APPDATA%\Microsoft\AddIns\Y1G9I2M9.exe' (with hidden window)
- '%APPDATA%\microsoft\addins\y1g9i2m9.exe' ' (with hidden window)
- '<SYSTEM32>\certutil.exe' -decode %APPDATA%\Microsoft\AddIns\F9W6F4O1.txt %APPDATA%\Microsoft\AddIns\B8G8P1M6.exe' (with hidden window)
- '%APPDATA%\microsoft\addins\b8g8p1m6.exe' ' (with hidden window)
