API tools faq
paste
Advertisement
VRad

#adwind_261218

VRad
Dec 27th, 2018
330
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.55 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Adwind #Java #JAR #JRE
  2.  
  3. https://pastebin.com/BqbDN6Sr
  4.  
  5. FAQ:
  6. https://radetskiy.wordpress.com/2018/05/11/ioc_adwind_100518/
  7.  
  8. attack_vector
  9. --------------
  10. email attach .JAR > WSH > JRE > AppData\Roaming\*.jar + *.vbs
  11.  
  12. email_headers
  13. --------------
  14. Received: from gunimo.com ([167.99.137.237])
  15. by srv8.victim1.com for <user0@org7.victim1.com>;
  16. Wed, 26 Dec 2018 12:24:21 +0200 (EET)
  17. (envelope-from tony.turner@stoneacre.co.uk)
  18. Received: from [102.165.33.14]
  19. by gunimo.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256)
  20. (Exim 4.84_2) (envelope-from <tony.turner@stoneacre.co.uk>)
  21. id 1gZrOo-0001md-CS; Thu, 20 Dec 2018 06:01:44 +0000
  22. Subject: Order
  23. To: Recipients <tony.turner@stoneacre.co.uk>
  24. From: "Tony" <tony.turner@stoneacre.co.uk>
  25.  
  26. files
  27. --------------
  28. SHA-256 b5cf1f4216841631e80ad31be8f623399d2a2c7057d3f7a062c9c7b2055eec11
  29. File name Order.jar
  30. File size 634.28 KB
  31.  
  32. activity
  33. **************
  34.  
  35. JAR > JRE > WSH > JRE > collect system info & open remote connection
  36.  
  37. netwrk
  38. --------------
  39. 185.183.97.184 goz.unknowncrypter{.} com:7789 POST /is-ready HTTP/1.1
  40. AC38D1C7<|>APM11<|>operator<|>Microsoft Windows 7 ... <|>plus<|>nan-av<|>false - 26.12.2018
  41.  
  42. comp
  43. --------------
  44. java.exe 2628 TCP 127.0.0.1 7777 SYN_SENT
  45. wscript.exe 2104 TCP 185.183.97.184 7789 ESTABLISHED
  46. javaw.exe 976 TCP 185.244.30.121 4379 SYN_SENT
  47.  
  48. proc
  49. --------------
  50. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\Desktop\Order.jar"
  51. C:\Windows\system32\wscript.exe C:\Users\operator\ufcgwhauov.vbs
  52. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs"
  53. C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -version 2> C:\tmp\output.txt
  54. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -version
  55. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\AppData\Roaming\ntfsmgr.jar"
  56. "C:\Program Files\Java\jre1.8.0_191\bin\java.exe" -jar C:\tmp\_0.90765668489300629104286604121415413.class
  57.  
  58. C:\Windows\system32\cmd.exe
  59. C:\tmp\Retrive275305157297834866.vbs
  60. C:\tmp\Retrive3342971358066659593.vbs
  61. C:\tmp\Retrive5146022430127275435.vbs
  62. C:\tmp\Retrive118764366264415957.vbs
  63.  
  64. C:\Windows\system32\xcopy.exe "C:\Program Files\Java\jre1.8.0_191" "C:\Users\operator\AppData\Roaming\Oracle\" /e
  65.  
  66. C:\Windows\system32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v zaRukQhXbGj /t REG_EXPAND_SZ /d "\"C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI\"" /f
  67.  
  68. C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\TpTuKAZzLlb\*.*"
  69.  
  70. C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI
  71. C:\Users\operator\AppData\Roaming\Oracle\bin\java.exe -jar C:\tmp\_0.58402873485980682215056483974766042.class
  72. C:\Windows\system32\cmd.exe
  73. C:\tmp\Retrive3841406484415973045.vbs
  74. C:\tmp\Retrive4727136555263513640.vbs
  75. C:\tmp\Retrive7570843625298647226.vbs
  76. C:\tmp\Retrive8366581331663954177.vbs
  77.  
  78. C:\Windows\system32\taskkill.exe /IM ProcessHacker.exe /T /F
  79.  
  80. C:\Windows\system32\cmd.exe /c regedit.exe /s C:\tmp\CEBqbLoDPx3000572971971620291.reg
  81.  
  82. C:\Windows\system32\taskkill.exe
  83.  
  84. taskkill /IM MSASCui.exe /T /F
  85. taskkill /IM MsMpEng.exe /T /F
  86. taskkill /IM MpUXSrv.exe /T /F
  87. taskkill /IM MpCmdRun.exe /T /F
  88. taskkill /IM NisSrv.exe /T /F
  89. taskkill /IM ConfigSecurityPolicy.exe /T /F
  90. taskkill /IM procexp.exe /T /F
  91. taskkill /IM wireshark.exe /T /F
  92. ...
  93. taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
  94. taskkill /IM twsscan.exe /T /F
  95. taskkill /IM UserReg.exe /T /F
  96.  
  97.  
  98. persist
  99. --------------
  100. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 17:38
  101.  
  102. @dVvzehDtJK
  103. c:\users\operator\appdata\roaming\dvvzehdtjk.vbs 26.12.2018 17:38
  104. wscript.exe //B "C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs"
  105.  
  106. @ntfsmgr Java(TM) Platform SE binary Oracle Corporation
  107. c:\program files\java\jre1.8.0_191\bin\javaw.exe 06.10.2018 18:42
  108. "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\AppData\Roaming\ntfsmgr.jar"
  109.  
  110. @zaRukQhXbGj Java(TM) Platform SE binary Oracle Corporation
  111. c:\users\operator\appdata\roaming\oracle\bin\javaw.exe 06.10.2018 18:42
  112. "C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI"
  113.  
  114. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 26.12.2018 17:38
  115. @dVvzehDtJK.vbs
  116. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\dvvzehdtjk.vbs 26.12.2018 17:38
  117. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dVvzehDtJK.vbs
  118.  
  119. drop
  120. --------------
  121. C:\Users\operator\ufcgwhauov.vbs
  122. C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs
  123. C:\tmp\output.txt
  124. C:\Users\operator\AppData\Roaming\ntfsmgr.jar
  125. C:\tmp\_0.90765668489300629104286604121415413.class
  126. C:\tmp\Retrive275305157297834866.
  127. C:\tmp\Retrive3342971358066659593.vbs
  128. C:\tmp\Retrive5146022430127275435.vbs
  129. C:\tmp\Retrive118764366264415957.vbs
  130. C:\Users\operator\AppData\Roaming\Oracle\
  131. C:\Users\operator\TpTuKAZzLlb\
  132. C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI
  133. C:\Users\operator\fUTkALeaTxM\
  134. C:\tmp\_0.58402873485980682215056483974766042.class
  135. C:\tmp\Retrive3841406484415973045.vbs
  136. C:\tmp\Retrive4727136555263513640.vbs
  137. C:\tmp\Retrive7570843625298647226.vbs
  138. C:\tmp\Retrive8366581331663954177.vbs
  139. C:\tmp\CEBqbLoDPx3000572971971620291.reg
  140.  
  141. VR
  142.  
  143. # # #
  144. https://www.virustotal.com/#/file/b5cf1f4216841631e80ad31be8f623399d2a2c7057d3f7a062c9c7b2055eec11/details
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!