Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/E3isAsmV
- previous contact:
- 26/12/18 https://pastebin.com/kx8Y0XzR
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- 12/11/18 https://pastebin.com/1y8MpRZq
- 14/09/18 https://pastebin.com/q6L376A8
- 14/09/18 https://pastebin.com/L8MvAccK
- 12/09/18 https://pastebin.com/LNHmd7Un
- FAQ:
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- https://secrary.com/ReversingMalware/UnpackingShade/
- attack_vector
- --------------
- email attach .ZIP > 2nd .ZIP > JS > WSH > GET 2 URL > %temp%\*.tmp
- email_headers
- --------------
- Received: from cpsmtpb-ews04.kpnxchange.com (cpsmtpb-ews04.kpnxchange.com [213.75.39.7])
- by srv8.victim1.com for <user0@org7.victim1.com>;
- Fri, 28 Dec 2018 07:25:48 +0200 (EET) (envelope-from antonsk@hetnet.nl)
- Received: from cpsps-ews10.kpnxchange.com ([10.94.84.177]) by cpsmtpb-ews04.kpnxchange.com
- Received: from CPSMTPM-CMT103.kpnxchange.com ([195.121.3.19]) by cpsps-ews10.kpnxchange.com
- Received: from COMPUTER ([187.188.183.5]) by CPSMTPM-CMT103.kpnxchange.com
- From: Копылов <antonsk@hetnet.nl>
- Reply-To: Копылов <antonsk@hetnet.nl>
- To: user0@org7.victim1.com
- Subject: подробности заказа
- Date: 28 Dec 2018 06:25:42 +0100
- files
- --------------
- SHA-256 85864705e56d270581da68b629c1073f68e5cc6727d32cb2455caeb17135a56b
- File name info.zip [Zip archive data, at least v2.0 to extract]
- File size 3.52 KB
- SHA-256 aee7fef0d9518caa61cc043feb7272bb26f7f562dc378e0c022ab662be96f4b5
- File name zakaz.zip [Zip archive data, at least v2.0 to extract]
- File size 3.42 KB
- SHA-256 4c13089e2a9f2909a9d833e2f3f76a8b7cfe85a19f49d134e7e30edcd519c1f4
- File name Информация о заказе.js
- File size 7.19 KB
- SHA-256 6e748e99e864e4741156e9c47804bd64d04945be2115cdba2a3ca5668bd69f90
- File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.03 MB
- activity
- **************
- pl_src: h11p:\ dincerturizm{.} com/sserv.jpg
- h11p:\ shly.fsygroup{.} com//wp-content/languages/themes/sserv.jpg
- .crypted000007
- pilotpilot088@gmail.com
- netwrk
- --------------
- ssl
- 5.135.115.34 www.m2zgy3xuxfq4hjqzdg.com Client Hello
- 62.210.5.178 www.kkbbed5.com Client Hello
- http
- 94.73.146.142 dincerturizm.com GET /sserv.jpg HTTP/1.1 Mozilla/4.0
- 104.16.20.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
- 104.18.34.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
- comp
- --------------
- wscript.exe 2652 94.73.146.142 80 ESTABLISHED
- radC694E.tmp 3208 127.0.0.1 50951 ESTABLISHED
- radC694E.tmp 3208 127.0.0.1 50950 ESTABLISHED
- radC694E.tmp 3208 171.25.193.9 80 ESTABLISHED
- radC694E.tmp 3208 178.63.25.10 9001 ESTABLISHED
- radC694E.tmp 3208 5.135.115.34 443 ESTABLISHED
- radC694E.tmp 3208 62.210.5.178 443 ESTABLISHED
- [System] 0 127.0.0.1 44023 TIME_WAIT
- [System] 0 127.0.0.1 44023 TIME_WAIT
- [System] 0 127.0.0.1 50972 TIME_WAIT
- [System] 0 127.0.0.1 44023 TIME_WAIT
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация о заказе.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\radC694E.tmp
- C:\tmp\radC694E.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\SysWOW64\chcp.com
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28.12.2018 13:07
- Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 28.12.2018 5:53
- drop
- --------------
- C:\tmp\radC694E.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\cached-microdescs.new
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- VR
- # # #
- https://www.virustotal.com/#/file/85864705e56d270581da68b629c1073f68e5cc6727d32cb2455caeb17135a56b/details
- https://www.virustotal.com/#/file/aee7fef0d9518caa61cc043feb7272bb26f7f562dc378e0c022ab662be96f4b5/details
- https://www.virustotal.com/#/file/4c13089e2a9f2909a9d833e2f3f76a8b7cfe85a19f49d134e7e30edcd519c1f4/details
- https://www.virustotal.com/#/file/6e748e99e864e4741156e9c47804bd64d04945be2115cdba2a3ca5668bd69f90/details
- https://analyze.intezer.com/#/analyses/a2fa42ed-e57e-4e15-92c4-e0cfe8bb7944
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement