Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/kx8Y0XzR
- previous contact:
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- 12/11/18 https://pastebin.com/1y8MpRZq
- 14/09/18 https://pastebin.com/q6L376A8
- 14/09/18 https://pastebin.com/L8MvAccK
- 12/09/18 https://pastebin.com/LNHmd7Un
- FAQ:
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- https://secrary.com/ReversingMalware/UnpackingShade/
- attack_vector
- --------------
- email attach .ZIP > 2nd .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
- email_headers
- --------------
- Return-path: <wemalemu@web.de>
- Envelope-to: user0@victim1.com
- Delivery-date: Wed, 26 Dec 2018 13:54:53 +0200
- Received: from mout.web.de ([217.72.192.78]:36673)
- by srv8.victim1.com with esmtp id 1gc7m1-0006xN-8d
- for <user0@victim1.com>; Wed, 26 Dec 2018 13:54:53 +0200
- Received: from COMPUTER ([111.164.136.138]) by smtp.web.de (mrweb103
- [213.165.67.124]) with ESMTPSA (Nemesis) id 0LwqJw-1hQlUo1Hqa-016Pky for
- <user0@victim1.com>; Wed, 26 Dec 2018 12:54:51 +0100
- From: =?UTF-8?B?0JPQsNC70LrQuNC9?=<wemalemu@web.de>
- Reply-To: =?UTF-8?B?0JPQsNC70LrQuNC9?=<wemalemu@web.de>
- To: user0@victim1.com
- Subject: =?UTF-8?B?0L/QvtC00YDQvtCx0L3QvtGB0YLQuCDQt9Cw0LrQsNC30LA=?=
- Content-Type: multipart/mixed; boundary="qbZqvK1nVsXsBMifovvcqsQhshmoGgHx"
- Date: Wed, 26 Dec 2018 12:54:51 +0100
- files
- --------------
- SHA-256 b79ac38d763012ff7dd67517773be989b7b07500e073ea76a1f76f097fefbda3
- File name info.zip [Zip archive data, at least v2.0 to extract]
- File size 3.29 KB
- SHA-256 0d04ea36263742ff3e501fd9dcdf2f60b60d6a10262fa05fcc33ec2829cd7759
- File name zakaz.4285.docx.zip [Zip archive data, at least v2.0 to extract]
- File size 3.15 KB
- SHA-256 a6c7c2b620d607165ea4dafb936df998061fde1262e1ff477078a0528e3ea13a
- File name информация о заказе.js
- File size 6.41 KB
- SHA-256 925b389565fcfca729ebdc6f8aef4aa37186d5ac70ced53099321acdc51086d4
- File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.02 MB
- activity
- **************
- pl_src: h11p:\ bursacatifirmalari{.} net/js/sserv.jpg
- .crypted000007
- pilotpilot088@gmail.com
- netwrk
- --------------
- ssl
- 193.23.244.244 www.fbqzosbkvvxub.com Client Hello
- http
- 94.73.151.62 bursacatifirmalari.net GET /js/sserv.jpg HTTP/1.1 Mozilla/4.0
- 104.16.17.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
- 104.18.35.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
- comp
- --------------
- wscript.exe 2020 94.73.151.62 80 ESTABLISHED
- radCA388.tmp 3240 128.31.0.39 9101 ESTABLISHED
- radCA388.tmp 3240 193.23.244.244 443 ESTABLISHED
- radCA388.tmp 3240 188.138.1.166 9001 ESTABLISHED
- radCA388.tmp 3240 163.172.170.52 9001 ESTABLISHED
- radCA388.tmp 3240 37.187.1.29 9001 ESTABLISHED
- radCA388.tmp 3240 163.172.170.52 9001 ESTABLISHED
- [System] 0 104.16.17.96 80 TIME_WAIT
- [System] 0 104.18.35.131 80 TIME_WAIT
- radCA388.tmp 3240 128.31.0.39 9101 ESTABLISHED
- radCA388.tmp 3240 193.23.244.244 443 ESTABLISHED
- radCA388.tmp 3240 188.138.1.166 9001 ESTABLISHED
- radCA388.tmp 3240 163.172.170.52 9001 ESTABLISHED
- radCA388.tmp 3240 37.187.1.29 9001 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\информация о заказе.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\radCA388.tmp
- C:\tmp\radCA388.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
- C:\Windows\SysWOW64\chcp.com
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 16:30
- Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 13:17
- drop
- --------------
- C:\tmp\radCA388.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\cached-microdescs.new
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- VR
- # # #
- https://www.virustotal.com/#/file/b79ac38d763012ff7dd67517773be989b7b07500e073ea76a1f76f097fefbda3/details
- https://www.virustotal.com/#/file/0d04ea36263742ff3e501fd9dcdf2f60b60d6a10262fa05fcc33ec2829cd7759/details
- https://www.virustotal.com/#/file/a6c7c2b620d607165ea4dafb936df998061fde1262e1ff477078a0528e3ea13a/details
- https://www.virustotal.com/#/file/925b389565fcfca729ebdc6f8aef4aa37186d5ac70ced53099321acdc51086d4/details
- https://analyze.intezer.com/#/analyses/21ae0292-2dcf-4ced-b979-754451242c2d
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement