Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/1y8MpRZq
- previous contact:
- 14/09/18 https://pastebin.com/q6L376A8
- 14/09/18 https://pastebin.com/L8MvAccK
- 12/09/18 https://pastebin.com/LNHmd7Un
- FAQ:
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- https://secrary.com/ReversingMalware/UnpackingShade/
- attack_vector
- --------------
- email attach (zip) > js > WSH > GET > %temp%\*.tmp
- email_headers
- --------------
- Return-Path: <info@bijdam.nl>
- From: Марков <info@bijdam.nl>
- Reply-To: Марков <info@bijdam.nl>
- To: user1@victim.com
- Subject: заказ
- Received: from mail.pw5.nl (ahv-id-3843.vps.awcloud.nl [145.131.7.32])
- by srv0.victim.com for <user1@victim.com>; Mon, 12 Nov 2018 15:31:46 +0200
- Mon, 12 Nov 2018 13:31:45 +0000
- files
- --------------
- SHA-256 0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da
- File name Gazprombank.zakaz.docx.zip
- File size 2.04 KB
- SHA-256 dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739
- File name decoy.js
- File size 4.5 KB
- SHA-256 e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
- File name sserv.jpg (exe!)
- File size 1.31 MB
- (!)13/11/18_ new payload
- SHA-256 884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e
- File name PSCP
- File size 1.29 MB
- SHA-256 7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418
- File name PSCP
- File size 1.29 MB
- activity
- **************
- ransom_note
- --------------
- Ваши фaйлы были зaшифpoвaны.
- Чтoбы pacшuфровaть ux, Baм нeoбхoдимо оmnpавиmь kод:
- 85F93484188BBACD2983|878|8|10
- на элeкmpонный aдрeс pilotpilot088@gmail.com .
- encrypt_ext
- --------------
- .crypted000007
- pd_src
- --------------
- landgfx{.} com/templates/chaarfile2/includes/classes/sserv.jpg (exe!)
- netwrk
- --------------
- 37.187.134.89 www.landgfx{.} com GET /templates/chaarfile2/includes/classes/sserv.jpg HTTP/1.1 Mozilla/4.0
- comp
- --------------
- #3rd_full
- --------------
- wscript.exe 2968 TCP s5.mizbandp.com http ESTABLISHED
- rad3C919.tmp 2644 TCP localhost 49324 ESTABLISHED
- rad3C919.tmp 2644 TCP localhost 49323 ESTABLISHED
- rad3C919.tmp 2644 TCP tor.dizum.com https ESTABLISHED
- rad3C919.tmp 2644 TCP tor.noreply.org https ESTABLISHED
- rad3C919.tmp 2644 TCP 133-241-15-51.rev.cloud.scaleway.com 9001 ESTABLISHED
- rad3C919.tmp 2644 TCP 127.0.0.1 49324 ESTABLISHED
- rad3C919.tmp 2644 TCP 127.0.0.1 49323 ESTABLISHED
- rad3C919.tmp 2644 TCP 194.109.206.212 443 ESTABLISHED
- rad3C919.tmp 2644 TCP 86.59.21.38 443 ESTABLISHED
- rad3C919.tmp 2644 TCP 51.15.241.133 9001 ESTABLISHED
- rad3C919.tmp 2644 TCP 5.9.151.241 4223 ESTABLISHED
- #2nd_only_exe
- --------------
- sserv.exe 456 TCP 127.0.0.1 49323 ESTABLISHED
- sserv.exe 456 TCP 127.0.0.1 49322 ESTABLISHED
- sserv.exe 456 TCP 86.59.21.38 443 ESTABLISHED
- sserv.exe 456 TCP 154.35.32.5 443 SYN_SENT
- sserv.exe 456 TCP localhost 49323 ESTABLISHED
- sserv.exe 456 TCP localhost 49322 ESTABLISHED
- sserv.exe 456 TCP tor.noreply.org https ESTABLISHED
- sserv.exe 456 TCP faravahar.rabbani.jp https SYN_SENT
- #1st_js
- --------------
- wscript.exe 1620 37.187.134.89 80 ESTABLISHED
- rad22DFE.tmp 2168 127.0.0.1 49324 ESTABLISHED
- rad22DFE.tmp 2168 127.0.0.1 49323 ESTABLISHED
- rad22DFE.tmp 2168 154.35.32.5 443 SYN_SENT
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\1.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\rad3C919.tmp
- C:\tmp\rad3C919.tmp
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 12.11.2018 20:22
- Client Server Runtime Subsystem Command-line SCP/SFTP client Simon Tatham c:\programdata\windows\csrss.exe 13.11.2018 7:05
- drop
- --------------
- C:\tmp\rad3C919.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- C:\ProgramData\System32\xfs
- # # #
- zip - https://www.virustotal.com/#/file/0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da/details
- js - https://www.virustotal.com/#/file/dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739/details
- exe(12) - https://www.virustotal.com/#/file/e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818/details
- https://analyze.intezer.com/#/analyses/b0051a93-542b-4887-881a-fd270495d8d3
- exe(13) - https://www.virustotal.com/#/file/884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e/details
- https://analyze.intezer.com/#/analyses/94144b20-8e24-43f4-b2c2-23fe0b80e97d
- https://www.virustotal.com/#/file/7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418/details
- https://analyze.intezer.com/#/analyses/eb368e7e-7971-4172-a611-373086219d5a
- ip - https://cymon.io/154.35.32.5
- https://www.threatminer.org/host.php?q=154.35.32.5
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement