SHARE
TWEET

#troldesh140918

VRad Sep 14th, 2018 (edited) 2,024 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #140918 #crypted000007 #troldesh #ransom #FTP  #SCR
  2.  
  3. email_headers
  4. -------------
  5. Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.133]
  6. Received: from null (by mrelayeu.kundenserver.de (mreue009 [212.227.15.167])
  7. From: "Xado Corp." <office@edv-wauch{.} at>
  8. Subject: Квитанція про поповнення рахунку 786849
  9. X-Mailer: Open-Xchange Mailer v7.8.4-Rev39
  10. Date: Fri, 14 Sep 2018 09:43:09 +0200
  11. Authentication-Results:
  12. spf=fail (victim.com: 212.227.126.133 is not permitted sender for domain of office@edv-wauch.at) smtp.mailfrom=office@edv-wauch.at
  13.  
  14. link to ftp
  15. -----------
  16. ftp://thefooda:tZu89(!pi[n6@ftp.thefoodplace{.} net/.htpasswds/public_html/02836200.zip
  17.  
  18. files
  19. -----
  20. SHA-256 a6275b8c4e9e87c9ee9091454ddbd6e6dc8ba3724325d544bb00b2f529e2f181
  21. File name   02836200.zip
  22. File size   853.84 KB
  23.  
  24. SHA-256 0aaacae7ea064efd5964ac7833ebffa6d024f47b2c6ea98ea35a1cf91c8e6ebc
  25. File name   docs_factur_91418.scr (EXE) !This program cannot be run in DOS mode.
  26. File size   902.5 KB
  27.  
  28. ransom_note
  29. ----------
  30. Вашu файлы были зашuфpoваны.
  31. Чтoбы раcшифроваmь uх, Вам нeoбxoдuмo oтпpавuть koд:
  32. 85F93484188BBACD2983|864|6|8
  33. на элекmpoнный адpeс VladimirScherbinin1991@gmail{.} com .
  34. http://cryptsen7fo43rr6.onion.to/
  35. http://cryptsen7fo43rr6.onion.cab/
  36.  
  37. servers
  38. -------
  39. 178.254.31.125  www.yj6noqyybrkxksujcc{.} com  
  40. 185.73.220.8    www.irceqahj{.} com
  41. 194.109.206.212 www.7jyfbwm43{.} com   
  42. 178.254.31.125  www.75nbnem2gnkbxi36u{.} com   
  43. 185.73.220.8    www.3tk7ugirbvnsyai3kjb{.} com 
  44.  
  45. network_compromised
  46. -------------------
  47. docs_factur_91418.scr   3800    TCP 127.0.0.1   49593   127.0.0.1   49594   ESTABLISHED
  48. docs_factur_91418.scr   3800    TCP 127.0.0.1   49594   127.0.0.1   49593   ESTABLISHED
  49. docs_factur_91418.scr   3800    TCP 10.0.2.15   49595   194.109.206.212 443 ESTABLISHED
  50. docs_factur_91418.scr   3800    TCP 10.0.2.15   49596   171.25.193.9    80  ESTABLISHED    
  51. docs_factur_91418.scr   3800    TCP 10.0.2.15   49597   185.73.220.8    443 ESTABLISHED
  52. docs_factur_91418.scr   3800    TCP 10.0.2.15   49598   178.254.31.125  443 ESTABLISHED
  53. docs_factur_91418.scr   3800    TCP 10.0.2.15   49599   51.158.70.41    9001    ESTABLISHED
  54.  
  55. file_system_activity
  56. -------------------
  57. C:\ProgramData\Windows\csrss.exe  |created hidden folder
  58.  
  59. C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp
  60. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\state
  61. C:\Users\user\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
  62. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus
  63. C:\Users\user\AppData\Local\Temp\6893A5D897\cached-certs.tmp
  64. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\cached-certs
  65. C:\Users\user\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
  66. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus
  67. C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp
  68. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\state
  69.  
  70. persist
  71. - - - -
  72. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    22.05.2017 2:53
  73.  
  74. key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
  75. data: "C:\ProgramData\Windows\csrss.exe"
  76.  
  77. regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\sh1
  78.  
  79. delete shadovcopies
  80. -------------------
  81. command: C:\Windows\system32\vssadmin.exe List Shadows
  82. command: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  83.  
  84.  
  85. # # #
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top