Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/4XDjjWZh
- previous contact:
- 28/12/18 https://pastebin.com/E3isAsmV
- 26/12/18 https://pastebin.com/kx8Y0XzR
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- FAQ:
- https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- attack_vector
- --------------
- email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
- email_headers
- --------------
- Received: from [::1] (port=56724 helo=mjail2.freenet.de)
- by mjail2.freenet.de with esmtpa (ID [email protected]) (Exim 4.90_1 #2)
- Received: from [195.4.92.165] (helo=mjail2.freenet.de)
- by mout0.freenet.de with esmtpa (ID [email protected]) (port 25) (Exim 4.90_1 #2)
- Received: from [81.18.133.6] (port=50083 helo=COMPUTER)
- by sub5.freenet.de with esmtpsa (ID [email protected]) (port 465) (Exim 4.90_1 #2)
- Received: from sub5.freenet.de ([195.4.92.124]:36652)
- by mjail2.freenet.de with esmtpa (ID [email protected]) (Exim 4.90_1 #2)
- Reply-To: Мельников <[email protected]>
- From: Мельников <[email protected]>
- To: <[email protected]>
- Subject: относительно заказа
- Date: Wed, 20 Feb 2019 10:49:56 +0200
- files
- --------------
- SHA-256 b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f
- File name pik.zip [Zip archive data, at least v2.0 to extract]
- File size 3.59 KB
- SHA-256 9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0
- File name ПАО «Группа Компаний ПИК» подробности заказа.js [ASCII text]
- File size 7.13 KB
- SHA-256 6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6
- File name msg.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.36 MB
- activity
- **************
- PL_SRC:
- http://koharu2007.com/images/pik.zip
- http://haglfurniture.vn/templates/dogo/html/com_contact/contact/msg.jpg
- netwrk
- --------------
- http.request.method == GET
- 103.3.245.248 haglfurniture.vn GET /templates/dogo/html/com_contact/contact/msg.jpg Mozilla/4.0
- 104.16.154.36 whatismyipaddress.com GET / Mozilla/5.0
- 104.18.34.131 whatsmyip.net GET / Mozilla/5.0
- ssl
- 81.17.30.33 www.vztjioj3xsucc.com Client Hello
- 82.192.94.125 www.qgyr.com Client Hello
- 131.188.40.189 www.52e5xr5y7n72exom.com Client Hello
- comp
- --------------
- wscript.exe 1696 TCP loclahost 49214 103.3.245.248 80 ESTABLISHED
- radFC88F.tmp 2316 TCP loclahost 49215 loclahost 49216 ESTABLISHED
- radFC88F.tmp 2316 TCP loclahost 49217 131.188.40.189 443 ESTABLISHED
- radFC88F.tmp 2316 TCP loclahost 49218 128.31.0.39 9101 ESTABLISHED
- radFC88F.tmp 2316 TCP loclahost 49219 82.192.94.125 443 ESTABLISHED
- radFC88F.tmp 2316 TCP loclahost 49220 81.17.30.33 443 ESTABLISHED
- radFC88F.tmp 2316 TCP loclahost 49221 173.249.25.217 9001 ESTABLISHED
- proc
- --------------
- C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js
- C:\Windows\System32\cmd.exe" /c C:\tmp\radFC88F.tmp
- C:\tmp\radFC88F.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
- C:\Windows\system32\taskhost.exe $(Arg0)
- C:\Windows\system32\vssvc.exe
- C:\Windows\system32\svchost.exe -k DcomLaunch
- C:\Windows\System32\mobsync.exe -Embedding
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 20.02.2019 11:41
- Client Server Runtime Subsystem
- c:\programdata\windows\csrss.exe 20.02.2019 9:19
- drop
- --------------
- %temp%\radFC88F.tmp
- %temp%\6893A5D897\cached-certs
- %temp%\6893A5D897\cached-microdesc-consensus
- %temp%\6893A5D897\cached-microdescs.new
- %temp%\6893A5D897\lock
- %temp%\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- # # #
- https://www.virustotal.com/#/file/b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f/details
- https://www.virustotal.com/#/file/9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0/details
- https://www.virustotal.com/#/file/6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6/details
- https://analyze.intezer.com/#/analyses/a072f977-227b-40ea-ac12-d70d76e9e0aa
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement