#troldesh_200219

1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
2.  
3. https://pastebin.com/4XDjjWZh
4.  
5. previous contact:
6. 28/12/18 https://pastebin.com/E3isAsmV
7. 26/12/18 https://pastebin.com/kx8Y0XzR
8. 25/12/18 https://pastebin.com/xNRiz3QW
9. 24/12/18 https://pastebin.com/mMMZe73m
10.  
11. FAQ:
12. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
13. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
14.  
15. attack_vector
16. --------------
17. email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
18.  
19. email_headers
20. --------------
21. Received: from [::1] (port=56724 helo=mjail2.freenet.de)
22. by mjail2.freenet.de with esmtpa (ID [email protected]) (Exim 4.90_1 #2)
23. Received: from [195.4.92.165] (helo=mjail2.freenet.de)
24. by mout0.freenet.de with esmtpa (ID [email protected]) (port 25) (Exim 4.90_1 #2)
25. Received: from [81.18.133.6] (port=50083 helo=COMPUTER)
26. by sub5.freenet.de with esmtpsa (ID [email protected]) (port 465) (Exim 4.90_1 #2)
27. Received: from sub5.freenet.de ([195.4.92.124]:36652)
28. by mjail2.freenet.de with esmtpa (ID [email protected]) (Exim 4.90_1 #2)
29. Reply-To: Мельников <[email protected]>
30. From: Мельников <[email protected]>
31. To: <[email protected]>
32. Subject: относительно заказа
33. Date: Wed, 20 Feb 2019 10:49:56 +0200
34.  
35. files
36. --------------
37. SHA-256 b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f
38. File name pik.zip [Zip archive data, at least v2.0 to extract]
39. File size 3.59 KB
40.  
41. SHA-256 9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0
42. File name ПАО «Группа Компаний ПИК» подробности заказа.js [ASCII text]
43. File size 7.13 KB
44.  
45. SHA-256 6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6
46. File name msg.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
47. File size 1.36 MB
48.  
49. activity
50. **************
51. PL_SRC:
52.  
53. http://koharu2007.com/images/pik.zip
54. http://haglfurniture.vn/templates/dogo/html/com_contact/contact/msg.jpg
55.  
56. netwrk
57. --------------
58. http.request.method == GET
59.  
60. 103.3.245.248 haglfurniture.vn GET /templates/dogo/html/com_contact/contact/msg.jpg Mozilla/4.0
61. 104.16.154.36 whatismyipaddress.com GET / Mozilla/5.0
62. 104.18.34.131 whatsmyip.net GET / Mozilla/5.0
63.  
64. ssl
65. 81.17.30.33 www.vztjioj3xsucc.com Client Hello
66. 82.192.94.125 www.qgyr.com Client Hello
67. 131.188.40.189 www.52e5xr5y7n72exom.com Client Hello
68.  
69. comp
70. --------------
71. wscript.exe 1696 TCP loclahost 49214 103.3.245.248 80 ESTABLISHED
72.  
73. radFC88F.tmp 2316 TCP loclahost 49215 loclahost 49216 ESTABLISHED
74. radFC88F.tmp 2316 TCP loclahost 49217 131.188.40.189 443 ESTABLISHED
75. radFC88F.tmp 2316 TCP loclahost 49218 128.31.0.39 9101 ESTABLISHED
76. radFC88F.tmp 2316 TCP loclahost 49219 82.192.94.125 443 ESTABLISHED
77. radFC88F.tmp 2316 TCP loclahost 49220 81.17.30.33 443 ESTABLISHED
78. radFC88F.tmp 2316 TCP loclahost 49221 173.249.25.217 9001 ESTABLISHED
79.  
80. proc
81. --------------
82. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js
83. C:\Windows\System32\cmd.exe" /c C:\tmp\radFC88F.tmp
84. C:\tmp\radFC88F.tmp
85. C:\Windows\system32\vssadmin.exe List Shadows
86. C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
87. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
88.  
89. C:\Windows\system32\taskhost.exe $(Arg0)
90. C:\Windows\system32\vssvc.exe
91.  
92. C:\Windows\system32\svchost.exe -k DcomLaunch
93. C:\Windows\System32\mobsync.exe -Embedding
94.  
95. persist
96. --------------
97. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 20.02.2019 11:41
98. Client Server Runtime Subsystem
99. c:\programdata\windows\csrss.exe 20.02.2019 9:19
100.  
101. drop
102. --------------
103. %temp%\radFC88F.tmp
104. %temp%\6893A5D897\cached-certs
105. %temp%\6893A5D897\cached-microdesc-consensus
106. %temp%\6893A5D897\cached-microdescs.new
107. %temp%\6893A5D897\lock
108. %temp%\6893A5D897\state
109.  
110. C:\ProgramData\Windows\csrss.exe
111.  
112.  
113. # # #
114. https://www.virustotal.com/#/file/b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f/details
115. https://www.virustotal.com/#/file/9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0/details
116. https://www.virustotal.com/#/file/6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6/details
117. https://analyze.intezer.com/#/analyses/a072f977-227b-40ea-ac12-d70d76e9e0aa
118.  
119. VR
120.  
121. @