Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #URL #indexZIP
- https://pastebin.com/efcuw6WX
- previous contact:
- 19/03/19 https://pastebin.com/J1Mx2CaB
- 25/02/18 https://pastebin.com/vMUxTH8C
- 20/02/18 https://pastebin.com/4XDjjWZh
- 28/12/18 https://pastebin.com/E3isAsmV
- 26/12/18 https://pastebin.com/kx8Y0XzR
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- FAQ:
- https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- attack_vector
- --------------
- email URL > GET index.html (ZIP) > JS > GET jpg (exe) > encrypt
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 6aacde9d66b03499510d36c4bdaa065f4ab097b6b0e713743a69795fdaf064f8
- File name index.html (doc.zip) [Zip archive data, at least v2.0 to extract]
- File size 12.08 KB (12372 bytes)
- SHA-256 4b96d19f03917fc902de321768e8107aaa0827708b54b622e8c7b51c07d04824
- File name Информация о заказе.xls.js [ASCII C program text, with very long lines, with CRLF, LF line terminators]
- File size 19.54 KB (20014 bytes)
- SHA-256 46ac406d59e23f24ffd14a8200934dd308f9c71bdffe0cd035e607c8722edb47
- File name 2c.jpg [PE32 executable for MS Windows (GUI) Intel 80386 32-bit ]
- File size 1.96 MB (2055680 bytes)
- activity
- **************
- PL_SCR
- zip
- http://van-lummel.nl/wp-admin/css/colors/blue/xls/
- http://ideas-to-go.de/wp-content/themes/spacious/js/doc/
- exe
- http://jdcontractingomaha.com/wp-content/blogs.dir/2c.jpg
- http://valerieheslop.co.uk/templates/beez_20/fonts/2c.jpg
- C2
- netwrk
- --------------
- [ssl]
- 194.109.206.212 rwti2mg.com Client Hello
- 131.188.40.189 owfuyihrdgwbywasar7ndqhm.com Client Hello
- 51.68.205.181 fviiio37lfy.com Client Hello
- 5.79.68.161 5ohvar7b3n64vhbi2i6zs43m.com Client Hello
- [http]
- 132.148.98.116 jdcontractingomaha.com GET /wp-content/blogs.dir/2c.jpg HTTP/1.1 Mozilla/4.0
- [!This program cannot be run in DOS mode]
- 66.171.248.178 ipv4bot.whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
- comp
- --------------
- wscript.exe 1652 TCP 132.148.98.116 80 ESTABLISHED
- rad01567.tmp 2792 TCP 131.188.40.189 443 ESTABLISHED
- rad01567.tmp 2792 TCP 128.31.0.39 9101 ESTABLISHED
- rad01567.tmp 2792 TCP 5.79.68.161 443 ESTABLISHED
- rad01567.tmp 2792 TCP 51.68.205.181 443 ESTABLISHED
- rad01567.tmp 2792 TCP 212.47.236.86 9001 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация о заказе.xls.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\rad01567.tmp
- C:\tmp\rad01567.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\SysWOW64\chcp.com
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.09.2019 16:09
- Client Server Runtime Subsystem Remotely Imprvement Vases Sonic Foundry
- c:\programdata\windows\csrss.exe 18.09.2019 3:43
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\RSS 4UEVC\2c[1].jpg
- C:\tmp\rad01567.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\cached-microdescs.new
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- # # #
- Вашu файлы были зaшuфрoвaны.
- Чmoбы рaсшuфрoвать uх, Вaм нeoбхoдимo оmnравuть код:
- 85F93484188BBACD2983|0
- нa элекmpoнный адpес pilotpilot088@gmail.com .
- Далее вы noлyчume вcе необхoдимыe инстpуkции.
- crypted000007
- # # #
- https://www.virustotal.com/gui/file/6aacde9d66b03499510d36c4bdaa065f4ab097b6b0e713743a69795fdaf064f8/details
- https://www.virustotal.com/gui/file/4b96d19f03917fc902de321768e8107aaa0827708b54b622e8c7b51c07d04824/details
- https://www.virustotal.com/gui/file/46ac406d59e23f24ffd14a8200934dd308f9c71bdffe0cd035e607c8722edb47/details
- https://analyze.intezer.com/#/analyses/5aa9c535-36a1-4772-8926-6a59bfba6ad9
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement