SHARE
TWEET

#troldesh_281218

VRad Dec 28th, 2018 (edited) 1,364 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/E3isAsmV
  4.  
  5. previous contact:
  6. 26/12/18        https://pastebin.com/kx8Y0XzR
  7. 25/12/18        https://pastebin.com/xNRiz3QW
  8. 24/12/18        https://pastebin.com/mMMZe73m
  9. 12/11/18        https://pastebin.com/1y8MpRZq
  10. 14/09/18        https://pastebin.com/q6L376A8
  11. 14/09/18        https://pastebin.com/L8MvAccK
  12. 12/09/18        https://pastebin.com/LNHmd7Un
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  16. https://secrary.com/ReversingMalware/UnpackingShade/
  17.  
  18. attack_vector
  19. --------------
  20. email attach .ZIP > 2nd .ZIP > JS > WSH > GET 2 URL > %temp%\*.tmp
  21.  
  22. email_headers
  23. --------------
  24. Received: from cpsmtpb-ews04.kpnxchange.com (cpsmtpb-ews04.kpnxchange.com [213.75.39.7])
  25.     by srv8.victim1.com for <user0@org7.victim1.com>;
  26.     Fri, 28 Dec 2018 07:25:48 +0200 (EET) (envelope-from antonsk@hetnet.nl)
  27. Received: from cpsps-ews10.kpnxchange.com ([10.94.84.177]) by cpsmtpb-ews04.kpnxchange.com
  28. Received: from CPSMTPM-CMT103.kpnxchange.com ([195.121.3.19]) by cpsps-ews10.kpnxchange.com
  29. Received: from COMPUTER ([187.188.183.5]) by CPSMTPM-CMT103.kpnxchange.com
  30. From: Копылов <antonsk@hetnet.nl>
  31. Reply-To: Копылов <antonsk@hetnet.nl>
  32. To: user0@org7.victim1.com
  33. Subject: подробности заказа
  34. Date: 28 Dec 2018 06:25:42 +0100
  35.  
  36. files
  37. --------------
  38. SHA-256 85864705e56d270581da68b629c1073f68e5cc6727d32cb2455caeb17135a56b
  39. File name   info.zip        [Zip archive data, at least v2.0 to extract]
  40. File size   3.52 KB
  41.  
  42. SHA-256 aee7fef0d9518caa61cc043feb7272bb26f7f562dc378e0c022ab662be96f4b5
  43. File name   zakaz.zip       [Zip archive data, at least v2.0 to extract]
  44. File size   3.42 KB
  45.  
  46. SHA-256 4c13089e2a9f2909a9d833e2f3f76a8b7cfe85a19f49d134e7e30edcd519c1f4
  47. File name   Информация о заказе.js
  48. File size   7.19 KB
  49.  
  50. SHA-256 6e748e99e864e4741156e9c47804bd64d04945be2115cdba2a3ca5668bd69f90
  51. File name   sserv.jpg (csrss.exe)   [PE32 executable (GUI) Intel 80386, for MS Windows]
  52. File size   1.03 MB
  53.  
  54. activity
  55. **************
  56.  
  57. pl_src:     h11p:\ dincerturizm{.} com/sserv.jpg
  58.             h11p:\ shly.fsygroup{.} com//wp-content/languages/themes/sserv.jpg
  59.  
  60. .crypted000007
  61.  
  62. pilotpilot088@gmail.com
  63.  
  64. netwrk
  65. --------------
  66. ssl
  67. 5.135.115.34    www.m2zgy3xuxfq4hjqzdg.com      Client Hello   
  68. 62.210.5.178    www.kkbbed5.com             Client Hello   
  69.  
  70. http
  71. 94.73.146.142   dincerturizm.com    GET /sserv.jpg  HTTP/1.1    Mozilla/4.0
  72. 104.16.20.96    whatismyipaddress.com   GET /       HTTP/1.1    Mozilla/5.0
  73. 104.18.34.131   whatsmyip.net       GET /       HTTP/1.1    Mozilla/5.0
  74.  
  75. comp
  76. --------------
  77. wscript.exe 2652    94.73.146.142   80  ESTABLISHED
  78.  
  79. radC694E.tmp    3208    127.0.0.1       50951   ESTABLISHED
  80. radC694E.tmp    3208    127.0.0.1       50950   ESTABLISHED
  81. radC694E.tmp    3208    171.25.193.9    80  ESTABLISHED
  82. radC694E.tmp    3208    178.63.25.10    9001    ESTABLISHED
  83. radC694E.tmp    3208    5.135.115.34    443 ESTABLISHED
  84. radC694E.tmp    3208    62.210.5.178    443 ESTABLISHED
  85.  
  86. [System]    0   127.0.0.1   44023   TIME_WAIT
  87. [System]    0   127.0.0.1   44023   TIME_WAIT
  88. [System]    0   127.0.0.1   50972   TIME_WAIT
  89. [System]    0   127.0.0.1   44023   TIME_WAIT
  90.  
  91. proc
  92. --------------
  93. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация о заказе.js"
  94. "C:\Windows\System32\cmd.exe" /c C:\tmp\radC694E.tmp
  95. C:\tmp\radC694E.tmp
  96. C:\Windows\system32\vssadmin.exe List Shadows
  97. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  98. C:\Windows\SysWOW64\cmd.exe
  99. C:\Windows\SysWOW64\chcp.com
  100.  
  101. persist
  102. --------------
  103. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              28.12.2018 13:07   
  104. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    28.12.2018 5:53
  105.  
  106. drop
  107. --------------
  108. C:\tmp\radC694E.tmp
  109.  
  110. C:\tmp\6893A5D897\cached-certs
  111. C:\tmp\6893A5D897\cached-microdesc-consensus
  112. C:\tmp\6893A5D897\cached-microdescs.new
  113. C:\tmp\6893A5D897\lock
  114. C:\tmp\6893A5D897\state
  115.  
  116. C:\ProgramData\Windows\csrss.exe
  117.  
  118. VR
  119.  
  120. # # #
  121. https://www.virustotal.com/#/file/85864705e56d270581da68b629c1073f68e5cc6727d32cb2455caeb17135a56b/details
  122. https://www.virustotal.com/#/file/aee7fef0d9518caa61cc043feb7272bb26f7f562dc378e0c022ab662be96f4b5/details
  123. https://www.virustotal.com/#/file/4c13089e2a9f2909a9d833e2f3f76a8b7cfe85a19f49d134e7e30edcd519c1f4/details
  124. https://www.virustotal.com/#/file/6e748e99e864e4741156e9c47804bd64d04945be2115cdba2a3ca5668bd69f90/details
  125. https://analyze.intezer.com/#/analyses/a2fa42ed-e57e-4e15-92c4-e0cfe8bb7944
  126.  
  127. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top