#troldesh_121118

1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
2.  
3. https://pastebin.com/1y8MpRZq
4.  
5. previous contact:
6. 14/09/18 https://pastebin.com/q6L376A8
7. 14/09/18 https://pastebin.com/L8MvAccK
8. 12/09/18 https://pastebin.com/LNHmd7Un
9.  
10. FAQ:
11. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
12. https://secrary.com/ReversingMalware/UnpackingShade/
13.  
14. attack_vector
15. --------------
16. email attach (zip) > js > WSH > GET > %temp%\*.tmp
17.  
18. email_headers
19. --------------
20. Return-Path: <info@bijdam.nl>
21. From: Марков <info@bijdam.nl>
22. Reply-To: Марков <info@bijdam.nl>
23. To: user1@victim.com
24. Subject: заказ
25. Received: from mail.pw5.nl (ahv-id-3843.vps.awcloud.nl [145.131.7.32])
26. by srv0.victim.com for <user1@victim.com>; Mon, 12 Nov 2018 15:31:46 +0200
27. Mon, 12 Nov 2018 13:31:45 +0000
28.  
29. files
30. --------------
31. SHA-256 0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da
32. File name Gazprombank.zakaz.docx.zip
33. File size 2.04 KB
34.  
35. SHA-256 dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739
36. File name decoy.js
37. File size 4.5 KB
38.  
39. SHA-256 e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
40. File name sserv.jpg (exe!)
41. File size 1.31 MB
42.  
43. (!)13/11/18_ new payload
44. SHA-256 884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e
45. File name PSCP
46. File size 1.29 MB
47.  
48. SHA-256 7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418
49. File name PSCP
50. File size 1.29 MB
51.  
52. activity
53. **************
54.  
55. ransom_note
56. --------------
57. Ваши фaйлы были зaшифpoвaны.
58. Чтoбы pacшuфровaть ux, Baм нeoбхoдимо оmnpавиmь kод:
59. 85F93484188BBACD2983|878|8|10
60. на элeкmpонный aдрeс pilotpilot088@gmail.com .
61.  
62. encrypt_ext
63. --------------
64. .crypted000007
65.  
66. pd_src
67. --------------
68. landgfx{.} com/templates/chaarfile2/includes/classes/sserv.jpg (exe!)
69.  
70. netwrk
71. --------------
72. 37.187.134.89 www.landgfx{.} com GET /templates/chaarfile2/includes/classes/sserv.jpg HTTP/1.1 Mozilla/4.0
73.  
74. comp
75. --------------
76. #3rd_full
77. --------------
78. wscript.exe 2968 TCP s5.mizbandp.com http ESTABLISHED
79.  
80. rad3C919.tmp 2644 TCP localhost 49324 ESTABLISHED
81. rad3C919.tmp 2644 TCP localhost 49323 ESTABLISHED
82. rad3C919.tmp 2644 TCP tor.dizum.com https ESTABLISHED
83. rad3C919.tmp 2644 TCP tor.noreply.org https ESTABLISHED
84. rad3C919.tmp 2644 TCP 133-241-15-51.rev.cloud.scaleway.com 9001 ESTABLISHED
85.  
86. rad3C919.tmp 2644 TCP 127.0.0.1 49324 ESTABLISHED
87. rad3C919.tmp 2644 TCP 127.0.0.1 49323 ESTABLISHED
88. rad3C919.tmp 2644 TCP 194.109.206.212 443 ESTABLISHED
89. rad3C919.tmp 2644 TCP 86.59.21.38 443 ESTABLISHED
90. rad3C919.tmp 2644 TCP 51.15.241.133 9001 ESTABLISHED
91. rad3C919.tmp 2644 TCP 5.9.151.241 4223 ESTABLISHED
92.  
93. #2nd_only_exe
94. --------------
95. sserv.exe 456 TCP 127.0.0.1 49323 ESTABLISHED
96. sserv.exe 456 TCP 127.0.0.1 49322 ESTABLISHED
97. sserv.exe 456 TCP 86.59.21.38 443 ESTABLISHED
98. sserv.exe 456 TCP 154.35.32.5 443 SYN_SENT
99.  
100. sserv.exe 456 TCP localhost 49323 ESTABLISHED
101. sserv.exe 456 TCP localhost 49322 ESTABLISHED
102. sserv.exe 456 TCP tor.noreply.org https ESTABLISHED
103. sserv.exe 456 TCP faravahar.rabbani.jp https SYN_SENT
104.  
105. #1st_js
106. --------------
107. wscript.exe 1620 37.187.134.89 80 ESTABLISHED
108.  
109. rad22DFE.tmp 2168 127.0.0.1 49324 ESTABLISHED
110. rad22DFE.tmp 2168 127.0.0.1 49323 ESTABLISHED
111. rad22DFE.tmp 2168 154.35.32.5 443 SYN_SENT
112.  
113. proc
114. --------------
115. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\1.js"
116. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad3C919.tmp
117. C:\tmp\rad3C919.tmp
118.  
119. persist
120. --------------
121. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 12.11.2018 20:22
122. Client Server Runtime Subsystem Command-line SCP/SFTP client Simon Tatham c:\programdata\windows\csrss.exe 13.11.2018 7:05
123.  
124. drop
125. --------------
126. C:\tmp\rad3C919.tmp
127. C:\tmp\6893A5D897\cached-certs
128. C:\tmp\6893A5D897\cached-microdesc-consensus
129. C:\tmp\6893A5D897\lock
130. C:\tmp\6893A5D897\state
131.  
132. C:\ProgramData\Windows\csrss.exe
133. C:\ProgramData\System32\xfs
134.  
135. # # #
136. zip - https://www.virustotal.com/#/file/0ab779de3c8db5bc67ecf899170a4f52f765b99af5cc2f8d067a0717fa3238da/details
137. js - https://www.virustotal.com/#/file/dd0723371208b79e28134544f8e7e96f489a7ac8f35bf36b916ccaf1bd7a1739/details
138. exe(12) - https://www.virustotal.com/#/file/e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818/details
139. https://analyze.intezer.com/#/analyses/b0051a93-542b-4887-881a-fd270495d8d3
140.  
141. exe(13) - https://www.virustotal.com/#/file/884889664da9a0dae4ef3f93d55c6b5ee8ac7e99fbb501f4d8592a6a3f9fbb2e/details
142. https://analyze.intezer.com/#/analyses/94144b20-8e24-43f4-b2c2-23fe0b80e97d
143. https://www.virustotal.com/#/file/7a19bff555c95a92a5cdfb8e2eda6f078a43349a5d6dfc664226cf38ef5b9418/details
144. https://analyze.intezer.com/#/analyses/eb368e7e-7971-4172-a611-373086219d5a
145.  
146. ip - https://cymon.io/154.35.32.5
147. https://www.threatminer.org/host.php?q=154.35.32.5
148.  
149. @