Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Shade #Ransomware
- landgfx.com/templates/chaarfile2/includes/classes/sserv.jpg
- https://alaweercapital.com/wp-content/themes/financepress/js/sserv.jpg
- http://evenarte.com/plugins/authentication/sserv.jpg
- dumped+unpacked:
- https://www.virustotal.com/#/file/76c985caca6909df310d1bf175632040a8debd8d9541d580d504b673bd28dd66/community
- https://www.virustotal.com/#/file/34a35496be945a93c5ddbdad3481442c8ca8c8879285388d8048c8f27bdb136d/detection
- shellcode:
- 61295168f85ac93e681a07404c5eacc8
- http://r.virscan.org/language/en/report/1f6960d156c3d8143eac424fa0acf9dd
- attack_vector
- --------------
- email attach (zip) > js > WSH > GET > %temp%\*.tmp
- email_headers
- --------------
- Return-Path: <info@bijdam.nl>
- From: Марков <info@bijdam.nl>
- Reply-To: Марков <info@bijdam.nl>
- To: user1@victim.com
- Subject: заказ
- Received: from mail.pw5.nl (ahv-id-3843.vps.awcloud.nl [145.131.7.32])
- by srv0.victim.com for <user1@victim.com>; Mon, 12 Nov 2018 15:31:46 +0200
- Mon, 12 Nov 2018 13:31:45 +0000
- files
- --------------
- SHA-256 0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da
- File name Gazprombank.zakaz.docx.zip
- File size 2.04 KB
- SHA-256 dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739
- File name decoy.js
- File size 4.5 KB
- SHA-256 e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
- File name sserv.jpg (exe!)
- File size 1.31 MB
- (!)13/11/18_ new payload
- SHA-256 884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e
- File name PSCP
- File size 1.29 MB
- SHA-256 7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418
- File name PSCP
- File size 1.29 MB
- activity
- **************
- ransom_note
- --------------
- Ваши фaйлы были зaшифpoвaны.
- Чтoбы pacшuфровaть ux, Baм нeoбхoдимо оmnpавиmь kод:
- 85F93484188BBACD2983|878|8|10
- на элeкmpонный aдрeс pilotpilot088@gmail.com .
- encrypt_ext
- --------------
- .crypted000007
- pd_src
- --------------
- landgfx{.} com/templates/chaarfile2/includes/classes/sserv.jpg (exe!)
- netwrk
- --------------
- 37.187.134.89 www.landgfx{.} com GET /templates/chaarfile2/includes/classes/sserv.jpg HTTP/1.1 Mozilla/4.0
- comp
- --------------
- #3rd_full
- --------------
- wscript.exe 2968 TCP s5.mizbandp.com http ESTABLISHED
- rad3C919.tmp 2644 TCP localhost 49324 ESTABLISHED
- rad3C919.tmp 2644 TCP localhost 49323 ESTABLISHED
- rad3C919.tmp 2644 TCP tor.dizum.com https ESTABLISHED
- rad3C919.tmp 2644 TCP tor.noreply.org https ESTABLISHED
- rad3C919.tmp 2644 TCP 133-241-15-51.rev.cloud.scaleway.com 9001 ESTABLISHED
- rad3C919.tmp 2644 TCP 127.0.0.1 49324 ESTABLISHED
- rad3C919.tmp 2644 TCP 127.0.0.1 49323 ESTABLISHED
- rad3C919.tmp 2644 TCP 194.109.206.212 443 ESTABLISHED
- rad3C919.tmp 2644 TCP 86.59.21.38 443 ESTABLISHED
- rad3C919.tmp 2644 TCP 51.15.241.133 9001 ESTABLISHED
- rad3C919.tmp 2644 TCP 5.9.151.241 4223 ESTABLISHED
- #2nd_only_exe
- --------------
- sserv.exe 456 TCP 127.0.0.1 49323 ESTABLISHED
- sserv.exe 456 TCP 127.0.0.1 49322 ESTABLISHED
- sserv.exe 456 TCP 86.59.21.38 443 ESTABLISHED
- sserv.exe 456 TCP 154.35.32.5 443 SYN_SENT
- sserv.exe 456 TCP localhost 49323 ESTABLISHED
- sserv.exe 456 TCP localhost 49322 ESTABLISHED
- sserv.exe 456 TCP tor.noreply.org https ESTABLISHED
- sserv.exe 456 TCP faravahar.rabbani.jp https SYN_SENT
- #1st_js
- --------------
- wscript.exe 1620 37.187.134.89 80 ESTABLISHED
- rad22DFE.tmp 2168 127.0.0.1 49324 ESTABLISHED
- rad22DFE.tmp 2168 127.0.0.1 49323 ESTABLISHED
- rad22DFE.tmp 2168 154.35.32.5 443 SYN_SENT
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\1.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\rad3C919.tmp
- C:\tmp\rad3C919.tmp
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 12.11.2018 20:22
- Client Server Runtime Subsystem Command-line SCP/SFTP client Simon Tatham c:\programdata\windows\csrss.exe 13.11.2018 7:05
- drop
- --------------
- C:\tmp\rad3C919.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- C:\ProgramData\System32\xfs
- # # #
- zip - https://www.virustotal.com/#/file/0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da/details
- js - https://www.virustotal.com/#/file/dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739/details
- exe(12) - https://www.virustotal.com/#/file/e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818/details
- https://analyze.intezer.com/#/analyses/b0051a93-542b-4887-881a-fd270495d8d3
- exe(13) - https://www.virustotal.com/#/file/884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e/details
- https://analyze.intezer.com/#/analyses/94144b20-8e24-43f4-b2c2-23fe0b80e97d
- https://www.virustotal.com/#/file/7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418/details
- https://analyze.intezer.com/#/analyses/eb368e7e-7971-4172-a611-373086219d5a
- ip - https://cymon.io/154.35.32.5
- https://www.threatminer.org/host.php?q=154.35.32.5
- Previous #shade #ransomware from sept 14:
- #IOC #OptiData #VR #120918 #troldesh #ransomware #crypted000007 #scr
- email_subjects:(updated 13/09)
- -----------------------------
- Платіжна інформація 9/12/2018
- інформація 6065341
- інформація 2194379
- інформація 2836783
- інформація 1438232
- ЗВIТ ПЛЮС
- mail_servers: (updated 13/09)
- -----------------------------
- 66.60.130.30
- 194.79.65.168
- 72.52.210.40
- 212.54.57.98
- 212.54.57.99
- 212.54.57.96
- email_accounts: (updated 13/09)
- -----------------------------
- a.igor@arcor.de
- silke.berg@arcor.de
- murdock3@arcor.de
- janinacaspers@arcor.de
- kaierle@arcor.de
- nadaf@arcor.de
- clemo.w@arcor.de
- elli.winter@arcor.de
- neke81@arcor.de
- denis.pielka@arcor.de
- kasten.m@arcor.de
- onkel-mike@arcor.de
- oli-gerhard@arcor.de
- ge-47se@arcor.de
- ronnsen_g@arcor.de
- stkroeger@arcor.de
- fabian.schossau@arcor.de
- franz216@arcor.de
- okamerlog@arcor.de
- chrissifuessel@arcor.de
- sternentreiber@arcor.de
- kd-53@arcor.de
- thwagner@arcor.de
- thomas.croy@arcor.de
- j.zynda@arcor.de
- stevesteel@arcor.de
- arslanu@arcor.de
- thwagner@arcor.de
- cojahn@arcor.de
- eadavid@arcor.de
- philippklemm@arcor.de
- roland.steurer@arcor.de
- badneo@arcor.de
- c.burbach@arcor.de
- lars.sylvia@arcor.de
- michappe2@arcor.de
- johannes.steinbrecher@arcor.de
- amiri111@arcor.de
- vincentschwiedeps@arcor.de
- oezdinc@arcor.de
- varan@arcor.de
- tobisperling@arcor.de
- silke.berg@arcor.de
- fabianahrens@arcor.de
- andy-lieb@arcor.de
- markxy2@arcor.de
- tibe99@arcor.de
- rosenstolz-100@arcor.de
- rolf.kissel@arcor.de
- raimondkiess@arcor.de
- danielkempgen@arcor.de
- vo-zi@arcor.de
- dubidubidam@arcor.de
- peterbartzsen@arcor.de
- cjonientz@arcor.de
- thomasvogt1@arcor.de
- botbot@arcor.de
- carstenconstabel@arcor.de
- t.rick@arcor.de
- c_ortiz@arcor.de
- spamfelix@arcor.de
- f.paul.pp@arcor.de
- lars.sylvia@arcor.de
- batyr4@arcor.de
- cytomic@arcor.de
- sebastian.strobl@arcor.de
- robert.kagan@arcor.de
- mario.muehlbach@arcor.de
- a.igor@arcor.de
- exog@arcor.de
- derglagla@arcor.de
- brharun@arcor.de
- samed.yilmaz@arcor.de
- bernhardschild1@arcor.de
- ruim13@iol.pt
- j.belem@iol.pt
- jmaia79@iol.pt
- angelo.c@iol.pt
- neoteo@iol.pt
- ampimenta@iol.pt
- manuelmonteiro1974@iol.pt
- siriusgrey@iol.pt
- joaonn13@iol.pt
- onapp@iol.pt
- hugo_china@iol.pt
- gtdesk@iol.pt
- claudia_ferreir@iol.pt
- filipe.t@iol.pt
- fpimentel@iol.pt
- nina_faria@iol.pt
- ricksilva@iol.pt
- jm3ze@iol.pt
- tfcoelho@iol.pt
- anakar1@iol.pt
- ritaportela@iol.pt
- ndsous@iol.pt
- olga_rodrigues@iol.pt
- j.morgan06@blueyonder.co.uk
- lf012r2929@blueyonder.co.uk
- tiff1pets@reliable-mail.com
- bre90oplign@reliable-mail.com
- bre90oplign@reliable-mail.com
- qpecota@surewest.net
- chairman@phoenixhc.co.uk
- stolen@ghettojam.net
- ian.p.hamilton@virgin.net
- robiwahn@vodafone.de
- engelchen1959@alice.de
- p-morell@stofanet.dk
- sara@woodsidestables.com
- FTP sources: (updated 13/09)
- -----------------------------
- f11p:\makoblue:london92@www.makoblue{.} com.au/public_html/2018/administrator/components/com_joomdoc/libraries/joomdoc/html/123-info001.zip
- f11p:\freedomp:E8o1s8qpW5@freedompublishing{.} com.au/.trash/HTML/eoplata007.zip
- f11p:\wontasti:85221064@ftp.wontastic{.} com/.htpasswds/public_html/0297_docs_tre_88.zip
- f11p:\wontasti:85221064@ftp.wontastic{.} com/.trash/kitchen/wp-content/plugins/jetpack/modules/minileven/images/docs_spwo_374.zip
- f11p:\j0elb:d3al4@users.tpg.com{.} au/selattyncottages/images/docs_spwo_374.zip
- f11p:\mergit.com{.} au:a1d4nm143y@s46950.gridserver{.} com/domains/mergit.com{.} au/html/mergit/v00.01.13/tmp/Prvd_docs.zip
- f11p:\wontasti:85221064@ftp.wontastic{.} com/.trash/kitchen/wp-content/plugins/meeting-scheduler-by-vcita/images/docs_spwo_374.zip
- f11p:\sbbccom/#?-bWZ(Z_v3;@ftp.sbbc.com{.} au/.cagefs/var/cache/php-opcache/d949132ff7e5a1b34f35758ccce8ff12/home/sbbccom/public_html/mngd001.zip
- f11p:\zvillanovaplaye:ATWaS1948@villanovaplayers{.} com/httpdocs/images/Prvd_docs.zip
- f11p:\f189031:s3yn9bsk@cpfacilitation.com{.} au/webspace/httpdocs/wordpress/wp-content/plugins/contact-form-7/images/Prvd_docs.zip
- f11p:\topuksto:zrhqh3j1ka4q19la@europa.servers.rbl-mer.misp.co{.} uk/mail/ukbargaincentral.com/steve.bartlett/.Sent/tmp/docs_spwo_374.zip
- f11p:\dabaco:RqPid6!!!H0Iz5f@ftp.dabaco.com{.} au/public_html/administrator/components/com_admin/helpers/html/0297_docs_tre_88.zip
- f11p:\topuksto:zrhqh3j1ka4q19la@ftp.ukbargaincentral{.} com/mail/ukbargaincentral.com/steve.bartlett/.Junk/tmp/Prvd_docs.zip
- f11p:\topuksto:zrhqh3j1ka4q19la@europa.servers.rbl-mer.misp.co{.} uk/mail/.Drafts/tmp/docs_spwo_374.zip
- f11p:\thestore:Soot777!@thestoreroomnsw.com{.} au/public_html/administrator/templates/khepri/html/123-info001.zip
- f11p:\f189031:s3yn9bsk@cpfacilitation.com{.} au/webspace/httpdocs/wordpress/wp-content/plugins/contact-form-7/images/docs_spwo_374.zip
- f11p:\etrain:*!?qfP#^QgU%@e-train.com{.} au/public_html/eoplata007.zip
- f11p:\bimbella:q2h1q8a8n5@ftp.bimbellabeef.com{.} au/public_html/mngd001.zip
- ZIP Containers:
- -----------------------------
- SHA-256 aa819503e6fa943c7802a6fd1d14b918fd33cf9ad97fba7140cdd7742e5192bb
- File name Prvd_docs.zip
- File size 853.95 KB
- SHA-256 8b9b32c0965a707f26aaa9d8c316bba46d850ef768ebd1d9f2449325a311e15c
- File name mngd001.zip
- File size 853.77 KB
- Payloads:
- -----------------------------
- SHA-256 270cbd6b5c344b952eb23b3383b30c4b97dc3f5b3e7702c61bb08c19e7f0320a
- File name docs_spwo_374.scr
- File size 911 KB
- SHA-256 e7f43c2e20deb45a295eb7f3774c238e29a4a89e3d2487d9f852ada216052148
- File name 0297_docs_tre_88.scr
- File size 911 KB
- #IOC #OptiData #VR #140918 #crypted000007 #troldesh #ransom #FTP #SCR
- email_headers
- -------------
- Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.133]
- Received: from null (by mrelayeu.kundenserver.de (mreue009 [212.227.15.167])
- From: "Xado Corp." <office@edv-wauch{.} at>
- Subject: Квитанція про поповнення рахунку 786849
- X-Mailer: Open-Xchange Mailer v7.8.4-Rev39
- Date: Fri, 14 Sep 2018 09:43:09 +0200
- Authentication-Results:
- spf=fail (victim.com: 212.227.126.133 is not permitted sender for domain of office@edv-wauch.at) smtp.mailfrom=office@edv-wauch.at
- link to ftp
- -----------
- ftp://thefooda:tZu89(!pi[n6@ftp.thefoodplace{.} net/.htpasswds/public_html/02836200.zip
- files
- -----
- SHA-256 a6275b8c4e9e87c9ee9091454ddbd6e6dc8ba3724325d544bb00b2f529e2f181
- File name 02836200.zip
- File size 853.84 KB
- SHA-256 0aaacae7ea064efd5964ac7833ebffa6d024f47b2c6ea98ea35a1cf91c8e6ebc
- File name docs_factur_91418.scr (EXE) !This program cannot be run in DOS mode.
- File size 902.5 KB
- ransom_note
- ----------
- Вашu файлы были зашuфpoваны.
- Чтoбы раcшифроваmь uх, Вам нeoбxoдuмo oтпpавuть koд:
- 85F93484188BBACD2983|864|6|8
- на элекmpoнный адpeс VladimirScherbinin1991@gmail{.} com .
- http://cryptsen7fo43rr6.onion.to/
- http://cryptsen7fo43rr6.onion.cab/
- servers
- -------
- 178.254.31.125 www.yj6noqyybrkxksujcc{.} com
- 185.73.220.8 www.irceqahj{.} com
- 194.109.206.212 www.7jyfbwm43{.} com
- 178.254.31.125 www.75nbnem2gnkbxi36u{.} com
- 185.73.220.8 www.3tk7ugirbvnsyai3kjb{.} com
- network_compromised
- -------------------
- docs_factur_91418.scr 3800 TCP 127.0.0.1 49593 127.0.0.1 49594 ESTABLISHED
- docs_factur_91418.scr 3800 TCP 127.0.0.1 49594 127.0.0.1 49593 ESTABLISHED
- docs_factur_91418.scr 3800 TCP 10.0.2.15 49595 194.109.206.212 443 ESTABLISHED
- docs_factur_91418.scr 3800 TCP 10.0.2.15 49596 171.25.193.9 80 ESTABLISHED
- docs_factur_91418.scr 3800 TCP 10.0.2.15 49597 185.73.220.8 443 ESTABLISHED
- docs_factur_91418.scr 3800 TCP 10.0.2.15 49598 178.254.31.125 443 ESTABLISHED
- docs_factur_91418.scr 3800 TCP 10.0.2.15 49599 51.158.70.41 9001 ESTABLISHED
- file_system_activity
- -------------------
- C:\ProgramData\Windows\csrss.exe |created hidden folder
- C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp
- -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\state
- C:\Users\user\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
- -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus
- C:\Users\user\AppData\Local\Temp\6893A5D897\cached-certs.tmp
- -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\cached-certs
- C:\Users\user\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
- -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus
- C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp
- -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\state
- persist
- - - - -
- Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 22.05.2017 2:53
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
- data: "C:\ProgramData\Windows\csrss.exe"
- regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\sh1
- delete shadovcopies
- -------------------
- command: C:\Windows\system32\vssadmin.exe List Shadows
- command: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement