API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 13th, 2018
344
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.74 KB | None | 0 0
raw download clone embed print report
  1. #Shade #Ransomware
  2. landgfx.com/templates/chaarfile2/includes/classes/sserv.jpg
  3. https://alaweercapital.com/wp-content/themes/financepress/js/sserv.jpg
  4. http://evenarte.com/plugins/authentication/sserv.jpg
  5.  
  6. dumped+unpacked:
  7. https://www.virustotal.com/#/file/76c985caca6909df310d1bf175632040a8debd8d9541d580d504b673bd28dd66/community
  8. https://www.virustotal.com/#/file/34a35496be945a93c5ddbdad3481442c8ca8c8879285388d8048c8f27bdb136d/detection
  9.  
  10. shellcode:
  11. 61295168f85ac93e681a07404c5eacc8
  12. http://r.virscan.org/language/en/report/1f6960d156c3d8143eac424fa0acf9dd
  13.  
  14. attack_vector
  15. --------------
  16. email attach (zip) > js > WSH > GET > %temp%\*.tmp
  17.  
  18. email_headers
  19. --------------
  20. Return-Path: <info@bijdam.nl>
  21. From: Марков <info@bijdam.nl>
  22. Reply-To: Марков <info@bijdam.nl>
  23. To: user1@victim.com
  24. Subject: заказ
  25. Received: from mail.pw5.nl (ahv-id-3843.vps.awcloud.nl [145.131.7.32])
  26. by srv0.victim.com for <user1@victim.com>; Mon, 12 Nov 2018 15:31:46 +0200
  27. Mon, 12 Nov 2018 13:31:45 +0000
  28.  
  29. files
  30. --------------
  31. SHA-256 0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da
  32. File name Gazprombank.zakaz.docx.zip
  33. File size 2.04 KB
  34.  
  35. SHA-256 dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739
  36. File name decoy.js
  37. File size 4.5 KB
  38.  
  39. SHA-256 e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
  40. File name sserv.jpg (exe!)
  41. File size 1.31 MB
  42.  
  43. (!)13/11/18_ new payload
  44. SHA-256 884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e
  45. File name PSCP
  46. File size 1.29 MB
  47.  
  48. SHA-256 7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418
  49. File name PSCP
  50. File size 1.29 MB
  51.  
  52. activity
  53. **************
  54.  
  55. ransom_note
  56. --------------
  57. Ваши фaйлы были зaшифpoвaны.
  58. Чтoбы pacшuфровaть ux, Baм нeoбхoдимо оmnpавиmь kод:
  59. 85F93484188BBACD2983|878|8|10
  60. на элeкmpонный aдрeс pilotpilot088@gmail.com .
  61.  
  62. encrypt_ext
  63. --------------
  64. .crypted000007
  65.  
  66. pd_src
  67. --------------
  68. landgfx{.} com/templates/chaarfile2/includes/classes/sserv.jpg (exe!)
  69.  
  70. netwrk
  71. --------------
  72. 37.187.134.89 www.landgfx{.} com GET /templates/chaarfile2/includes/classes/sserv.jpg HTTP/1.1 Mozilla/4.0
  73.  
  74. comp
  75. --------------
  76. #3rd_full
  77. --------------
  78. wscript.exe 2968 TCP s5.mizbandp.com http ESTABLISHED
  79.  
  80. rad3C919.tmp 2644 TCP localhost 49324 ESTABLISHED
  81. rad3C919.tmp 2644 TCP localhost 49323 ESTABLISHED
  82. rad3C919.tmp 2644 TCP tor.dizum.com https ESTABLISHED
  83. rad3C919.tmp 2644 TCP tor.noreply.org https ESTABLISHED
  84. rad3C919.tmp 2644 TCP 133-241-15-51.rev.cloud.scaleway.com 9001 ESTABLISHED
  85.  
  86. rad3C919.tmp 2644 TCP 127.0.0.1 49324 ESTABLISHED
  87. rad3C919.tmp 2644 TCP 127.0.0.1 49323 ESTABLISHED
  88. rad3C919.tmp 2644 TCP 194.109.206.212 443 ESTABLISHED
  89. rad3C919.tmp 2644 TCP 86.59.21.38 443 ESTABLISHED
  90. rad3C919.tmp 2644 TCP 51.15.241.133 9001 ESTABLISHED
  91. rad3C919.tmp 2644 TCP 5.9.151.241 4223 ESTABLISHED
  92.  
  93. #2nd_only_exe
  94. --------------
  95. sserv.exe 456 TCP 127.0.0.1 49323 ESTABLISHED
  96. sserv.exe 456 TCP 127.0.0.1 49322 ESTABLISHED
  97. sserv.exe 456 TCP 86.59.21.38 443 ESTABLISHED
  98. sserv.exe 456 TCP 154.35.32.5 443 SYN_SENT
  99.  
  100. sserv.exe 456 TCP localhost 49323 ESTABLISHED
  101. sserv.exe 456 TCP localhost 49322 ESTABLISHED
  102. sserv.exe 456 TCP tor.noreply.org https ESTABLISHED
  103. sserv.exe 456 TCP faravahar.rabbani.jp https SYN_SENT
  104.  
  105. #1st_js
  106. --------------
  107. wscript.exe 1620 37.187.134.89 80 ESTABLISHED
  108.  
  109. rad22DFE.tmp 2168 127.0.0.1 49324 ESTABLISHED
  110. rad22DFE.tmp 2168 127.0.0.1 49323 ESTABLISHED
  111. rad22DFE.tmp 2168 154.35.32.5 443 SYN_SENT
  112.  
  113. proc
  114. --------------
  115. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\1.js"
  116. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad3C919.tmp
  117. C:\tmp\rad3C919.tmp
  118.  
  119. persist
  120. --------------
  121. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 12.11.2018 20:22
  122. Client Server Runtime Subsystem Command-line SCP/SFTP client Simon Tatham c:\programdata\windows\csrss.exe 13.11.2018 7:05
  123.  
  124. drop
  125. --------------
  126. C:\tmp\rad3C919.tmp
  127. C:\tmp\6893A5D897\cached-certs
  128. C:\tmp\6893A5D897\cached-microdesc-consensus
  129. C:\tmp\6893A5D897\lock
  130. C:\tmp\6893A5D897\state
  131.  
  132. C:\ProgramData\Windows\csrss.exe
  133. C:\ProgramData\System32\xfs
  134.  
  135. # # #
  136. zip - https://www.virustotal.com/#/file/0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da/details
  137. js - https://www.virustotal.com/#/file/dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739/details
  138. exe(12) - https://www.virustotal.com/#/file/e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818/details
  139. https://analyze.intezer.com/#/analyses/b0051a93-542b-4887-881a-fd270495d8d3
  140.  
  141. exe(13) - https://www.virustotal.com/#/file/884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e/details
  142. https://analyze.intezer.com/#/analyses/94144b20-8e24-43f4-b2c2-23fe0b80e97d
  143. https://www.virustotal.com/#/file/7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418/details
  144. https://analyze.intezer.com/#/analyses/eb368e7e-7971-4172-a611-373086219d5a
  145.  
  146. ip - https://cymon.io/154.35.32.5
  147. https://www.threatminer.org/host.php?q=154.35.32.5
  148.  
  149.  
  150. Previous #shade #ransomware from sept 14:
  151. #IOC #OptiData #VR #120918 #troldesh #ransomware #crypted000007 #scr
  152.  
  153. email_subjects:(updated 13/09)
  154. -----------------------------
  155.  
  156. Платіжна інформація 9/12/2018
  157. інформація 6065341
  158. інформація 2194379
  159. інформація 2836783
  160. інформація 1438232
  161. ЗВIТ ПЛЮС
  162.  
  163. mail_servers: (updated 13/09)
  164. -----------------------------
  165.  
  166. 66.60.130.30
  167. 194.79.65.168
  168. 72.52.210.40
  169. 212.54.57.98
  170. 212.54.57.99
  171. 212.54.57.96
  172.  
  173. email_accounts: (updated 13/09)
  174. -----------------------------
  175.  
  176. a.igor@arcor.de
  177. silke.berg@arcor.de
  178. murdock3@arcor.de
  179. janinacaspers@arcor.de
  180. kaierle@arcor.de
  181. nadaf@arcor.de
  182. clemo.w@arcor.de
  183. elli.winter@arcor.de
  184. neke81@arcor.de
  185. denis.pielka@arcor.de
  186. kasten.m@arcor.de
  187. onkel-mike@arcor.de
  188. oli-gerhard@arcor.de
  189. ge-47se@arcor.de
  190. ronnsen_g@arcor.de
  191. stkroeger@arcor.de
  192. fabian.schossau@arcor.de
  193. franz216@arcor.de
  194. okamerlog@arcor.de
  195. chrissifuessel@arcor.de
  196. sternentreiber@arcor.de
  197. kd-53@arcor.de
  198. thwagner@arcor.de
  199. thomas.croy@arcor.de
  200. j.zynda@arcor.de
  201. stevesteel@arcor.de
  202. arslanu@arcor.de
  203. thwagner@arcor.de
  204. cojahn@arcor.de
  205. eadavid@arcor.de
  206. philippklemm@arcor.de
  207. roland.steurer@arcor.de
  208. badneo@arcor.de
  209. c.burbach@arcor.de
  210. lars.sylvia@arcor.de
  211. michappe2@arcor.de
  212. johannes.steinbrecher@arcor.de
  213. amiri111@arcor.de
  214. vincentschwiedeps@arcor.de
  215. oezdinc@arcor.de
  216. varan@arcor.de
  217. tobisperling@arcor.de
  218. silke.berg@arcor.de
  219. fabianahrens@arcor.de
  220. andy-lieb@arcor.de
  221. markxy2@arcor.de
  222. tibe99@arcor.de
  223. rosenstolz-100@arcor.de
  224. rolf.kissel@arcor.de
  225. raimondkiess@arcor.de
  226. danielkempgen@arcor.de
  227. vo-zi@arcor.de
  228. dubidubidam@arcor.de
  229. peterbartzsen@arcor.de
  230. cjonientz@arcor.de
  231. thomasvogt1@arcor.de
  232. botbot@arcor.de
  233. carstenconstabel@arcor.de
  234. t.rick@arcor.de
  235. c_ortiz@arcor.de
  236. spamfelix@arcor.de
  237. f.paul.pp@arcor.de
  238. lars.sylvia@arcor.de
  239. batyr4@arcor.de
  240. cytomic@arcor.de
  241. sebastian.strobl@arcor.de
  242. robert.kagan@arcor.de
  243. mario.muehlbach@arcor.de
  244. a.igor@arcor.de
  245. exog@arcor.de
  246. derglagla@arcor.de
  247. brharun@arcor.de
  248. samed.yilmaz@arcor.de
  249. bernhardschild1@arcor.de
  250.  
  251. ruim13@iol.pt
  252. j.belem@iol.pt
  253. jmaia79@iol.pt
  254. angelo.c@iol.pt
  255. neoteo@iol.pt
  256. ampimenta@iol.pt
  257. manuelmonteiro1974@iol.pt
  258. siriusgrey@iol.pt
  259. joaonn13@iol.pt
  260. onapp@iol.pt
  261. hugo_china@iol.pt
  262. gtdesk@iol.pt
  263. claudia_ferreir@iol.pt
  264. filipe.t@iol.pt
  265. fpimentel@iol.pt
  266. nina_faria@iol.pt
  267. ricksilva@iol.pt
  268. jm3ze@iol.pt
  269. tfcoelho@iol.pt
  270. anakar1@iol.pt
  271. ritaportela@iol.pt
  272. ndsous@iol.pt
  273. olga_rodrigues@iol.pt
  274.  
  275. j.morgan06@blueyonder.co.uk
  276. lf012r2929@blueyonder.co.uk
  277.  
  278. tiff1pets@reliable-mail.com
  279. bre90oplign@reliable-mail.com
  280. bre90oplign@reliable-mail.com
  281.  
  282. qpecota@surewest.net
  283. chairman@phoenixhc.co.uk
  284.  
  285. stolen@ghettojam.net
  286. ian.p.hamilton@virgin.net
  287. robiwahn@vodafone.de
  288. engelchen1959@alice.de
  289. p-morell@stofanet.dk
  290. sara@woodsidestables.com
  291.  
  292. FTP sources: (updated 13/09)
  293. -----------------------------
  294.  
  295. f11p:\makoblue:london92@www.makoblue{.} com.au/public_html/2018/administrator/components/com_joomdoc/libraries/joomdoc/html/123-info001.zip
  296. f11p:\freedomp:E8o1s8qpW5@freedompublishing{.} com.au/.trash/HTML/eoplata007.zip
  297. f11p:\wontasti:85221064@ftp.wontastic{.} com/.htpasswds/public_html/0297_docs_tre_88.zip
  298. f11p:\wontasti:85221064@ftp.wontastic{.} com/.trash/kitchen/wp-content/plugins/jetpack/modules/minileven/images/docs_spwo_374.zip
  299. f11p:\j0elb:d3al4@users.tpg.com{.} au/selattyncottages/images/docs_spwo_374.zip
  300. f11p:\mergit.com{.} au:a1d4nm143y@s46950.gridserver{.} com/domains/mergit.com{.} au/html/mergit/v00.01.13/tmp/Prvd_docs.zip
  301. f11p:\wontasti:85221064@ftp.wontastic{.} com/.trash/kitchen/wp-content/plugins/meeting-scheduler-by-vcita/images/docs_spwo_374.zip
  302. f11p:\sbbccom/#?-bWZ(Z_v3;@ftp.sbbc.com{.} au/.cagefs/var/cache/php-opcache/d949132ff7e5a1b34f35758ccce8ff12/home/sbbccom/public_html/mngd001.zip
  303. f11p:\zvillanovaplaye:ATWaS1948@villanovaplayers{.} com/httpdocs/images/Prvd_docs.zip
  304. f11p:\f189031:s3yn9bsk@cpfacilitation.com{.} au/webspace/httpdocs/wordpress/wp-content/plugins/contact-form-7/images/Prvd_docs.zip
  305. f11p:\topuksto:zrhqh3j1ka4q19la@europa.servers.rbl-mer.misp.co{.} uk/mail/ukbargaincentral.com/steve.bartlett/.Sent/tmp/docs_spwo_374.zip
  306. f11p:\dabaco:RqPid6!!!H0Iz5f@ftp.dabaco.com{.} au/public_html/administrator/components/com_admin/helpers/html/0297_docs_tre_88.zip
  307. f11p:\topuksto:zrhqh3j1ka4q19la@ftp.ukbargaincentral{.} com/mail/ukbargaincentral.com/steve.bartlett/.Junk/tmp/Prvd_docs.zip
  308. f11p:\topuksto:zrhqh3j1ka4q19la@europa.servers.rbl-mer.misp.co{.} uk/mail/.Drafts/tmp/docs_spwo_374.zip
  309. f11p:\thestore:Soot777!@thestoreroomnsw.com{.} au/public_html/administrator/templates/khepri/html/123-info001.zip
  310. f11p:\f189031:s3yn9bsk@cpfacilitation.com{.} au/webspace/httpdocs/wordpress/wp-content/plugins/contact-form-7/images/docs_spwo_374.zip
  311. f11p:\etrain:*!?qfP#^QgU%@e-train.com{.} au/public_html/eoplata007.zip
  312. f11p:\bimbella:q2h1q8a8n5@ftp.bimbellabeef.com{.} au/public_html/mngd001.zip
  313.  
  314. ZIP Containers:
  315. -----------------------------
  316. SHA-256 aa819503e6fa943c7802a6fd1d14b918fd33cf9ad97fba7140cdd7742e5192bb
  317. File name Prvd_docs.zip
  318. File size 853.95 KB
  319.  
  320.  
  321. SHA-256 8b9b32c0965a707f26aaa9d8c316bba46d850ef768ebd1d9f2449325a311e15c
  322. File name mngd001.zip
  323. File size 853.77 KB
  324.  
  325.  
  326. Payloads:
  327. -----------------------------
  328. SHA-256 270cbd6b5c344b952eb23b3383b30c4b97dc3f5b3e7702c61bb08c19e7f0320a
  329. File name docs_spwo_374.scr
  330. File size 911 KB
  331.  
  332.  
  333. SHA-256 e7f43c2e20deb45a295eb7f3774c238e29a4a89e3d2487d9f852ada216052148
  334. File name 0297_docs_tre_88.scr
  335. File size 911 KB
  336.  
  337. #IOC #OptiData #VR #140918 #crypted000007 #troldesh #ransom #FTP #SCR
  338.  
  339. email_headers
  340. -------------
  341. Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.133]
  342. Received: from null (by mrelayeu.kundenserver.de (mreue009 [212.227.15.167])
  343. From: "Xado Corp." <office@edv-wauch{.} at>
  344. Subject: Квитанція про поповнення рахунку 786849
  345. X-Mailer: Open-Xchange Mailer v7.8.4-Rev39
  346. Date: Fri, 14 Sep 2018 09:43:09 +0200
  347. Authentication-Results:
  348. spf=fail (victim.com: 212.227.126.133 is not permitted sender for domain of office@edv-wauch.at) smtp.mailfrom=office@edv-wauch.at
  349.  
  350. link to ftp
  351. -----------
  352. ftp://thefooda:tZu89(!pi[n6@ftp.thefoodplace{.} net/.htpasswds/public_html/02836200.zip
  353.  
  354. files
  355. -----
  356. SHA-256 a6275b8c4e9e87c9ee9091454ddbd6e6dc8ba3724325d544bb00b2f529e2f181
  357. File name 02836200.zip
  358. File size 853.84 KB
  359.  
  360. SHA-256 0aaacae7ea064efd5964ac7833ebffa6d024f47b2c6ea98ea35a1cf91c8e6ebc
  361. File name docs_factur_91418.scr (EXE) !This program cannot be run in DOS mode.
  362. File size 902.5 KB
  363.  
  364. ransom_note
  365. ----------
  366. Вашu файлы были зашuфpoваны.
  367. Чтoбы раcшифроваmь uх, Вам нeoбxoдuмo oтпpавuть koд:
  368. 85F93484188BBACD2983|864|6|8
  369. на элекmpoнный адpeс VladimirScherbinin1991@gmail{.} com .
  370. http://cryptsen7fo43rr6.onion.to/
  371. http://cryptsen7fo43rr6.onion.cab/
  372.  
  373. servers
  374. -------
  375. 178.254.31.125 www.yj6noqyybrkxksujcc{.} com
  376. 185.73.220.8 www.irceqahj{.} com
  377. 194.109.206.212 www.7jyfbwm43{.} com
  378. 178.254.31.125 www.75nbnem2gnkbxi36u{.} com
  379. 185.73.220.8 www.3tk7ugirbvnsyai3kjb{.} com
  380.  
  381. network_compromised
  382. -------------------
  383. docs_factur_91418.scr 3800 TCP 127.0.0.1 49593 127.0.0.1 49594 ESTABLISHED
  384. docs_factur_91418.scr 3800 TCP 127.0.0.1 49594 127.0.0.1 49593 ESTABLISHED
  385. docs_factur_91418.scr 3800 TCP 10.0.2.15 49595 194.109.206.212 443 ESTABLISHED
  386. docs_factur_91418.scr 3800 TCP 10.0.2.15 49596 171.25.193.9 80 ESTABLISHED
  387. docs_factur_91418.scr 3800 TCP 10.0.2.15 49597 185.73.220.8 443 ESTABLISHED
  388. docs_factur_91418.scr 3800 TCP 10.0.2.15 49598 178.254.31.125 443 ESTABLISHED
  389. docs_factur_91418.scr 3800 TCP 10.0.2.15 49599 51.158.70.41 9001 ESTABLISHED
  390.  
  391. file_system_activity
  392. -------------------
  393. C:\ProgramData\Windows\csrss.exe |created hidden folder
  394.  
  395. C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp
  396. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\state
  397. C:\Users\user\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
  398. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus
  399. C:\Users\user\AppData\Local\Temp\6893A5D897\cached-certs.tmp
  400. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\cached-certs
  401. C:\Users\user\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
  402. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus
  403. C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp
  404. -> New: C:\Users\user\AppData\Local\Temp\6893A5D897\state
  405.  
  406. persist
  407. - - - -
  408. Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 22.05.2017 2:53
  409.  
  410. key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
  411. data: "C:\ProgramData\Windows\csrss.exe"
  412.  
  413. regkeyval: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\sh1
  414.  
  415. delete shadovcopies
  416. -------------------
  417. command: C:\Windows\system32\vssadmin.exe List Shadows
  418. command: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!