SHARE
TWEET

#troldesh_121118

VRad Nov 12th, 2018 (edited) 481 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/1y8MpRZq
  4.  
  5. previous contact:
  6. 14/09/18    https://pastebin.com/q6L376A8
  7. 14/09/18    https://pastebin.com/L8MvAccK
  8. 12/09/18    https://pastebin.com/LNHmd7Un
  9.  
  10. FAQ:
  11. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  12. https://secrary.com/ReversingMalware/UnpackingShade/
  13.  
  14. attack_vector
  15. --------------
  16. email attach (zip) > js > WSH > GET > %temp%\*.tmp
  17.  
  18. email_headers
  19. --------------
  20. Return-Path: <info@bijdam.nl>
  21. From: Марков <info@bijdam.nl>
  22. Reply-To: Марков <info@bijdam.nl>
  23. To: user1@victim.com
  24. Subject: заказ
  25. Received: from mail.pw5.nl (ahv-id-3843.vps.awcloud.nl [145.131.7.32])
  26.     by srv0.victim.com for <user1@victim.com>; Mon, 12 Nov 2018 15:31:46 +0200
  27. Mon, 12 Nov 2018 13:31:45 +0000
  28.  
  29. files
  30. --------------
  31. SHA-256 0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da
  32. File name   Gazprombank.zakaz.docx.zip
  33. File size   2.04 KB
  34.  
  35. SHA-256 dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739
  36. File name   decoy.js
  37. File size   4.5 KB
  38.  
  39. SHA-256 e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
  40. File name   sserv.jpg   (exe!)
  41. File size   1.31 MB
  42.  
  43. (!)13/11/18_ new payload
  44. SHA-256 884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e
  45. File name   PSCP
  46. File size   1.29 MB
  47.  
  48. SHA-256 7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418
  49. File name   PSCP
  50. File size   1.29 MB
  51.  
  52. activity
  53. **************
  54.  
  55. ransom_note
  56. --------------
  57. Ваши фaйлы были зaшифpoвaны.
  58. Чтoбы pacшuфровaть ux, Baм нeoбхoдимо оmnpавиmь kод:
  59. 85F93484188BBACD2983|878|8|10
  60. на элeкmpонный aдрeс pilotpilot088@gmail.com .
  61.  
  62. encrypt_ext
  63. --------------
  64. .crypted000007
  65.  
  66. pd_src
  67. --------------
  68. landgfx{.} com/templates/chaarfile2/includes/classes/sserv.jpg  (exe!)
  69.  
  70. netwrk
  71. --------------
  72. 37.187.134.89   www.landgfx{.} com  GET /templates/chaarfile2/includes/classes/sserv.jpg HTTP/1.1   Mozilla/4.0
  73.  
  74. comp
  75. --------------
  76. #3rd_full
  77. --------------
  78. wscript.exe 2968    TCP s5.mizbandp.com http    ESTABLISHED
  79.  
  80. rad3C919.tmp    2644    TCP localhost   49324   ESTABLISHED                                    
  81. rad3C919.tmp    2644    TCP localhost   49323   ESTABLISHED                                    
  82. rad3C919.tmp    2644    TCP tor.dizum.com   https   ESTABLISHED
  83. rad3C919.tmp    2644    TCP tor.noreply.org https   ESTABLISHED
  84. rad3C919.tmp    2644    TCP 133-241-15-51.rev.cloud.scaleway.com    9001    ESTABLISHED
  85.                    
  86. rad3C919.tmp    2644    TCP 127.0.0.1   49324   ESTABLISHED                                    
  87. rad3C919.tmp    2644    TCP 127.0.0.1   49323   ESTABLISHED                                    
  88. rad3C919.tmp    2644    TCP 194.109.206.212 443 ESTABLISHED
  89. rad3C919.tmp    2644    TCP 86.59.21.38 443 ESTABLISHED
  90. rad3C919.tmp    2644    TCP 51.15.241.133   9001    ESTABLISHED
  91. rad3C919.tmp    2644    TCP 5.9.151.241 4223    ESTABLISHED
  92.  
  93. #2nd_only_exe
  94. --------------
  95. sserv.exe   456 TCP 127.0.0.1   49323   ESTABLISHED                                    
  96. sserv.exe   456 TCP 127.0.0.1   49322   ESTABLISHED                                    
  97. sserv.exe   456 TCP 86.59.21.38 443 ESTABLISHED
  98. sserv.exe   456 TCP 154.35.32.5 443 SYN_SENT                                       
  99.  
  100. sserv.exe   456 TCP localhost   49323   ESTABLISHED                                    
  101. sserv.exe   456 TCP localhost   49322   ESTABLISHED                                    
  102. sserv.exe   456 TCP tor.noreply.org https   ESTABLISHED
  103. sserv.exe   456 TCP faravahar.rabbani.jp    https   SYN_SENT
  104.  
  105. #1st_js
  106. --------------
  107. wscript.exe 1620    37.187.134.89   80  ESTABLISHED                                    
  108.  
  109. rad22DFE.tmp    2168    127.0.0.1   49324   ESTABLISHED                                    
  110. rad22DFE.tmp    2168    127.0.0.1   49323   ESTABLISHED                                    
  111. rad22DFE.tmp    2168    154.35.32.5 443 SYN_SENT
  112.  
  113. proc
  114. --------------
  115. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\1.js"
  116. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad3C919.tmp
  117. C:\tmp\rad3C919.tmp
  118.  
  119. persist
  120. --------------
  121. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              12.11.2018 20:22   
  122. Client Server Runtime Subsystem Command-line SCP/SFTP client    Simon Tatham    c:\programdata\windows\csrss.exe    13.11.2018 7:05
  123.  
  124. drop
  125. --------------
  126. C:\tmp\rad3C919.tmp
  127. C:\tmp\6893A5D897\cached-certs
  128. C:\tmp\6893A5D897\cached-microdesc-consensus
  129. C:\tmp\6893A5D897\lock
  130. C:\tmp\6893A5D897\state
  131.  
  132. C:\ProgramData\Windows\csrss.exe
  133. C:\ProgramData\System32\xfs
  134.  
  135. # # #
  136. zip -   https://www.virustotal.com/#/file/0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da/details
  137. js  -   https://www.virustotal.com/#/file/dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739/details
  138. exe(12) -   https://www.virustotal.com/#/file/e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818/details
  139.         https://analyze.intezer.com/#/analyses/b0051a93-542b-4887-881a-fd270495d8d3
  140.  
  141. exe(13) -   https://www.virustotal.com/#/file/884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e/details
  142.         https://analyze.intezer.com/#/analyses/94144b20-8e24-43f4-b2c2-23fe0b80e97d
  143.         https://www.virustotal.com/#/file/7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418/details
  144.         https://analyze.intezer.com/#/analyses/eb368e7e-7971-4172-a611-373086219d5a
  145.  
  146. ip  -   https://cymon.io/154.35.32.5
  147.         https://www.threatminer.org/host.php?q=154.35.32.5
  148.  
  149. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top