API tools faq
paste
Advertisement
VRad

#troldesh_281218

VRad
Dec 28th, 2018
1,751
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.29 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/E3isAsmV
  4.  
  5. previous contact:
  6. 26/12/18 https://pastebin.com/kx8Y0XzR
  7. 25/12/18 https://pastebin.com/xNRiz3QW
  8. 24/12/18 https://pastebin.com/mMMZe73m
  9. 12/11/18 https://pastebin.com/1y8MpRZq
  10. 14/09/18 https://pastebin.com/q6L376A8
  11. 14/09/18 https://pastebin.com/L8MvAccK
  12. 12/09/18 https://pastebin.com/LNHmd7Un
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  16. https://secrary.com/ReversingMalware/UnpackingShade/
  17.  
  18. attack_vector
  19. --------------
  20. email attach .ZIP > 2nd .ZIP > JS > WSH > GET 2 URL > %temp%\*.tmp
  21.  
  22. email_headers
  23. --------------
  24. Received: from cpsmtpb-ews04.kpnxchange.com (cpsmtpb-ews04.kpnxchange.com [213.75.39.7])
  25. by srv8.victim1.com for <user0@org7.victim1.com>;
  26. Fri, 28 Dec 2018 07:25:48 +0200 (EET) (envelope-from antonsk@hetnet.nl)
  27. Received: from cpsps-ews10.kpnxchange.com ([10.94.84.177]) by cpsmtpb-ews04.kpnxchange.com
  28. Received: from CPSMTPM-CMT103.kpnxchange.com ([195.121.3.19]) by cpsps-ews10.kpnxchange.com
  29. Received: from COMPUTER ([187.188.183.5]) by CPSMTPM-CMT103.kpnxchange.com
  30. From: Копылов <antonsk@hetnet.nl>
  31. Reply-To: Копылов <antonsk@hetnet.nl>
  32. To: user0@org7.victim1.com
  33. Subject: подробности заказа
  34. Date: 28 Dec 2018 06:25:42 +0100
  35.  
  36. files
  37. --------------
  38. SHA-256 85864705e56d270581da68b629c1073f68e5cc6727d32cb2455caeb17135a56b
  39. File name info.zip [Zip archive data, at least v2.0 to extract]
  40. File size 3.52 KB
  41.  
  42. SHA-256 aee7fef0d9518caa61cc043feb7272bb26f7f562dc378e0c022ab662be96f4b5
  43. File name zakaz.zip [Zip archive data, at least v2.0 to extract]
  44. File size 3.42 KB
  45.  
  46. SHA-256 4c13089e2a9f2909a9d833e2f3f76a8b7cfe85a19f49d134e7e30edcd519c1f4
  47. File name Информация о заказе.js
  48. File size 7.19 KB
  49.  
  50. SHA-256 6e748e99e864e4741156e9c47804bd64d04945be2115cdba2a3ca5668bd69f90
  51. File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
  52. File size 1.03 MB
  53.  
  54. activity
  55. **************
  56.  
  57. pl_src: h11p:\ dincerturizm{.} com/sserv.jpg
  58. h11p:\ shly.fsygroup{.} com//wp-content/languages/themes/sserv.jpg
  59.  
  60. .crypted000007
  61.  
  62. pilotpilot088@gmail.com
  63.  
  64. netwrk
  65. --------------
  66. ssl
  67. 5.135.115.34 www.m2zgy3xuxfq4hjqzdg.com Client Hello
  68. 62.210.5.178 www.kkbbed5.com Client Hello
  69.  
  70. http
  71. 94.73.146.142 dincerturizm.com GET /sserv.jpg HTTP/1.1 Mozilla/4.0
  72. 104.16.20.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
  73. 104.18.34.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
  74.  
  75. comp
  76. --------------
  77. wscript.exe 2652 94.73.146.142 80 ESTABLISHED
  78.  
  79. radC694E.tmp 3208 127.0.0.1 50951 ESTABLISHED
  80. radC694E.tmp 3208 127.0.0.1 50950 ESTABLISHED
  81. radC694E.tmp 3208 171.25.193.9 80 ESTABLISHED
  82. radC694E.tmp 3208 178.63.25.10 9001 ESTABLISHED
  83. radC694E.tmp 3208 5.135.115.34 443 ESTABLISHED
  84. radC694E.tmp 3208 62.210.5.178 443 ESTABLISHED
  85.  
  86. [System] 0 127.0.0.1 44023 TIME_WAIT
  87. [System] 0 127.0.0.1 44023 TIME_WAIT
  88. [System] 0 127.0.0.1 50972 TIME_WAIT
  89. [System] 0 127.0.0.1 44023 TIME_WAIT
  90.  
  91. proc
  92. --------------
  93. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация о заказе.js"
  94. "C:\Windows\System32\cmd.exe" /c C:\tmp\radC694E.tmp
  95. C:\tmp\radC694E.tmp
  96. C:\Windows\system32\vssadmin.exe List Shadows
  97. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  98. C:\Windows\SysWOW64\cmd.exe
  99. C:\Windows\SysWOW64\chcp.com
  100.  
  101. persist
  102. --------------
  103. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28.12.2018 13:07
  104. Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 28.12.2018 5:53
  105.  
  106. drop
  107. --------------
  108. C:\tmp\radC694E.tmp
  109.  
  110. C:\tmp\6893A5D897\cached-certs
  111. C:\tmp\6893A5D897\cached-microdesc-consensus
  112. C:\tmp\6893A5D897\cached-microdescs.new
  113. C:\tmp\6893A5D897\lock
  114. C:\tmp\6893A5D897\state
  115.  
  116. C:\ProgramData\Windows\csrss.exe
  117.  
  118. VR
  119.  
  120. # # #
  121. https://www.virustotal.com/#/file/85864705e56d270581da68b629c1073f68e5cc6727d32cb2455caeb17135a56b/details
  122. https://www.virustotal.com/#/file/aee7fef0d9518caa61cc043feb7272bb26f7f562dc378e0c022ab662be96f4b5/details
  123. https://www.virustotal.com/#/file/4c13089e2a9f2909a9d833e2f3f76a8b7cfe85a19f49d134e7e30edcd519c1f4/details
  124. https://www.virustotal.com/#/file/6e748e99e864e4741156e9c47804bd64d04945be2115cdba2a3ca5668bd69f90/details
  125. https://analyze.intezer.com/#/analyses/a2fa42ed-e57e-4e15-92c4-e0cfe8bb7944
  126.  
  127. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!