GandCrab_Ransomware_IOC_27-08-2018

1. #GandCrab v.4 #Trojan #Ransomware
2. -----------------------------------
3. 27-08-2018 IOC's
4. -----------------------------------
5. Main object- "__ppt__.js"
6. sha256 747cd2a35232496048348848be88146396f89319a22864da179ad88f83b98385
7. sha1 f5af96f0200a249418f7eb19457bc1cece2577a7
8. md5 da2c219b0684d15637346a0f42adc98b
9. Dropped executable file
10. sha256 C:\Users\admin\pjgvqoemd.exe 5930513fa35d1ac38d92cbd4b5be982bbdbeb5b4e2c5274a8bf33ce0bdef933c
11. DNS requests
12. domain www.billerimpex.com
13. domain www.macartegrise.eu
14. domain www.poketeg.com
15. domain perovaphoto.ru
16. domain asl-company.ru
17. domain www.fabbfoundation.gm
18. domain www.wash-wear.com
19. domain www.perfectfunnelblueprint.com
20. domain boatshowradio.com
21. domain cevent.net
22. domain bellytobabyphotographyseattle.com
23. domain pp-panda74.ru
24. domain alem.be
25. domain dna-cp.com
26. domain www.mimid.cz
27. domain 6chen.cn
28. domain wpakademi.com
29. domain goodapd.website
30. domain www.cakav.hu
31. domain oceanlinen.com
32. domain acbt.fr
33. domain nesten.dk
34. domain koloritplus.ru
35. domain h5s.vn
36. domain topstockexpert.su
37. domain tommarmores.com.br
38. domain zaeba.co.uk
39. domain www.n2plus.co.th
40. domain www.ismcrossconnect.com
41. domain www.toflyaviacao.com.br
42. domain big-game-fishing-croatia.hr
43. domain mauricionacif.com
44. domain www.lagouttedelixir.com
45. domain www.rment.in
46. domain aurumwedding.ru
47. domain www.krishnagrp.com
48. domain bloghalm.eu
49. domain cyclevegas.com
50. domain test.theveeview.com
51. domain www.relectrica.com.mx
52. domain relectrica.com.mx
53. domain bethel.com.ve
54. domain vjccons.com.vn
55. domain marketisleri.com
56. domain hoteltravel2018.com
57. domain royal.by
58. domain smbardoli.org
59. domain blokefeed.club
60. domain www.himmerlandgolf.dk
61. domain krasnaypolyana123.ru
62. domain unnatimotors.in
63. domain picusglancus.pl
64. Connections
65. ip 103.107.17.102
66. ip 104.27.184.39
67. ip 104.27.187.113
68. ip 103.27.238.31
69. ip 104.24.105.13
70. ip 104.24.102.153
71. ip 104.27.163.241
72. ip 104.28.31.160
73. ip 107.178.113.162
74. ip 104.31.76.95
75. ip 146.66.72.87
76. ip 144.217.47.134
77. ip 137.74.238.33
78. ip 179.188.11.34
79. ip 149.56.154.141
80. ip 178.238.37.164
81. ip 178.33.233.202
82. ip 171.244.34.167
83. ip 185.135.88.105
84. ip 173.247.242.133
85. ip 188.64.184.90
86. ip 188.165.53.185
87. ip 217.174.149.130
88. ip 213.186.33.186
89. ip 223.26.62.72
90. ip 202.43.45.181
91. ip 217.160.0.234
92. ip 191.252.51.37
93. ip 192.35.177.64
94. ip 213.186.33.3
95. ip 51.68.50.168
96. ip 69.73.180.151
97. ip 37.140.192.32
98. ip 67.227.236.96
99. ip 31.41.45.138
100. ip 50.87.58.165
101. ip 52.29.192.136
102. ip 66.96.147.67
103. ip 70.40.197.96
104. ip 94.231.109.239
105. ip 95.213.173.173
106. ip 87.236.16.29
107. ip 87.236.16.208
108. ip 80.77.123.23
109. ip 87.236.19.51
110. ip 87.236.16.31
111. ip 93.125.99.121
112. ip 89.252.187.72
113. ip 77.104.144.25
114. HTTP/HTTPS requests
115. url http://blokefeed.club/
116. url http://blokefeed.club/data/imgs/seesheesso.jpg
117. url http://www.macartegrise.eu/wp-content/image/sedese.gif
118. url http://www.billerimpex.com/
119. url http://www.macartegrise.eu/
120. url http://www.poketeg.com/
121. url http://www.poketeg.com/content/pictures/moamim.png
122. url http://asl-company.ru/wp-content/imgs/imde.gif
123. url http://perovaphoto.ru/wp-content/image/daes.bmp
124. url http://pp-panda74.ru/static/pics/semo.gif
125. url http://pp-panda74.ru/
126. url http://www.wash-wear.com/
127. url http://www.wash-wear.com/includes/image/kehe.png
128. url http://www.fabbfoundation.gm/data/graphic/fufu.gif
129. url http://www.fabbfoundation.gm/
130. url http://perovaphoto.ru/
131. url http://www.perfectfunnelblueprint.com/data/images/mesekehekade.bmp
132. url http://www.perfectfunnelblueprint.com/
133. url http://asl-company.ru/
134. url http://alem.be/data/pics/deam.jpg
135. url http://alem.be/
136. url http://dna-cp.com/
137. url http://boatshowradio.com/content/graphic/imimseruda.gif
138. url http://boatshowradio.com/
139. url http://cevent.net/
140. url http://cevent.net/wp-content/graphic/dafuruso.png
141. url http://acbt.fr/content/image/esruimhe.jpg
142. url http://www.mimid.cz/
143. url http://www.mimid.cz/includes/imgs/zukeseamde.jpg
144. url http://www.cakav.hu/content/pictures/hethsomo.jpg
145. url http://wpakademi.com/
146. url http://www.cakav.hu/
147. url http://acbt.fr/
148. url http://wpakademi.com/data/tmp/thkadedede.png
149. url http://nesten.dk/
150. url http://6chen.cn/
151. url http://tommarmores.com.br/includes/imgs/dekaes.bmp
152. url http://tommarmores.com.br/
153. url http://6chen.cn/static/pics/dedadehefu.bmp
154. url http://oceanlinen.com/
155. url http://oceanlinen.com/news/pictures/thimketh.gif
156. url http://topstockexpert.su/
157. url http://koloritplus.ru/content/imgs/keru.bmp
158. url http://marketisleri.com/
159. url http://h5s.vn/uploads/pictures/somo.jpg
160. url http://nesten.dk/news/pics/mozu.gif
161. url http://h5s.vn/
162. url http://koloritplus.ru/
163. url http://www.n2plus.co.th/static/graphic/rumesofu.jpg
164. url http://www.n2plus.co.th/
165. url http://big-game-fishing-croatia.hr/
166. url http://www.krishnagrp.com/
167. url http://www.lagouttedelixir.com/includes/imgs/medame.bmp
168. url http://www.toflyaviacao.com.br/data/pics/meimamme.gif
169. url http://mauricionacif.com/
170. url http://www.rment.in/
171. url http://www.toflyaviacao.com.br/
172. url http://www.lagouttedelixir.com/
173. url http://www.rment.in/data/pictures/somemoames.gif
174. url http://aurumwedding.ru/
175. url http://www.ismcrossconnect.com/
176. url http://test.theveeview.com/
177. url http://bethel.com.ve/
178. url http://test.theveeview.com/wp-content/images/fuim.gif
179. url http://www.ismcrossconnect.com/static/graphic/fururuth.bmp
180. url http://aurumwedding.ru/includes/tmp/immothme.bmp
181. url http://relectrica.com.mx/
182. url http://mauricionacif.com/content/assets/damodafu.png
183. url http://vjccons.com.vn/
184. url http://www.himmerlandgolf.dk/
185. url http://royal.by/
186. url http://cyclevegas.com/
187. url http://bloghalm.eu/wp-content/images/zuimthzu.png
188. url http://bloghalm.eu/
189. url http://vjccons.com.vn/data/assets/zusofuke.bmp
190. url http://smbardoli.org/
191. url http://unnatimotors.in/
192. url http://smbardoli.org/content/imgs/imesda.jpg
193. url http://krasnaypolyana123.ru/wp-content/image/zukehe.png
194. url http://hoteltravel2018.com/
195. url http://krasnaypolyana123.ru/
196. url http://picusglancus.pl/static/tmp/mefuesdaru.bmp
197. url http://picusglancus.pl/
198. url http://hoteltravel2018.com/content/images/imkeda.bmp
199. url http://www.himmerlandgolf.dk/uploads/assets/moheimam.gif