#troldesh_261218

1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
2.  
3. https://pastebin.com/kx8Y0XzR
4.  
5. previous contact:
6. 25/12/18 https://pastebin.com/xNRiz3QW
7. 24/12/18 https://pastebin.com/mMMZe73m
8. 12/11/18 https://pastebin.com/1y8MpRZq
9. 14/09/18 https://pastebin.com/q6L376A8
10. 14/09/18 https://pastebin.com/L8MvAccK
11. 12/09/18 https://pastebin.com/LNHmd7Un
12.  
13. FAQ:
14. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
15. https://secrary.com/ReversingMalware/UnpackingShade/
16.  
17. attack_vector
18. --------------
19. email attach .ZIP > 2nd .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
20.  
21. email_headers
22. --------------
23. Return-path: <wemalemu@web.de>
24. Envelope-to: user0@victim1.com
25. Delivery-date: Wed, 26 Dec 2018 13:54:53 +0200
26. Received: from mout.web.de ([217.72.192.78]:36673)
27. by srv8.victim1.com with esmtp id 1gc7m1-0006xN-8d
28. for <user0@victim1.com>; Wed, 26 Dec 2018 13:54:53 +0200
29. Received: from COMPUTER ([111.164.136.138]) by smtp.web.de (mrweb103
30. [213.165.67.124]) with ESMTPSA (Nemesis) id 0LwqJw-1hQlUo1Hqa-016Pky for
31. <user0@victim1.com>; Wed, 26 Dec 2018 12:54:51 +0100
32. From: =?UTF-8?B?0JPQsNC70LrQuNC9?=<wemalemu@web.de>
33. Reply-To: =?UTF-8?B?0JPQsNC70LrQuNC9?=<wemalemu@web.de>
34. To: user0@victim1.com
35. Subject: =?UTF-8?B?0L/QvtC00YDQvtCx0L3QvtGB0YLQuCDQt9Cw0LrQsNC30LA=?=
36. Content-Type: multipart/mixed; boundary="qbZqvK1nVsXsBMifovvcqsQhshmoGgHx"
37. Date: Wed, 26 Dec 2018 12:54:51 +0100
38.  
39. files
40. --------------
41. SHA-256 b79ac38d763012ff7dd67517773be989b7b07500e073ea76a1f76f097fefbda3
42. File name info.zip [Zip archive data, at least v2.0 to extract]
43. File size 3.29 KB
44.  
45. SHA-256 0d04ea36263742ff3e501fd9dcdf2f60b60d6a10262fa05fcc33ec2829cd7759
46. File name zakaz.4285.docx.zip [Zip archive data, at least v2.0 to extract]
47. File size 3.15 KB
48.  
49. SHA-256 a6c7c2b620d607165ea4dafb936df998061fde1262e1ff477078a0528e3ea13a
50. File name информация о заказе.js
51. File size 6.41 KB
52.  
53. SHA-256 925b389565fcfca729ebdc6f8aef4aa37186d5ac70ced53099321acdc51086d4
54. File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
55. File size 1.02 MB
56.  
57. activity
58. **************
59.  
60. pl_src: h11p:\ bursacatifirmalari{.} net/js/sserv.jpg
61.  
62. .crypted000007
63.  
64. pilotpilot088@gmail.com
65.  
66. netwrk
67. --------------
68. ssl
69. 193.23.244.244 www.fbqzosbkvvxub.com Client Hello
70.  
71. http
72. 94.73.151.62 bursacatifirmalari.net GET /js/sserv.jpg HTTP/1.1 Mozilla/4.0
73. 104.16.17.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
74. 104.18.35.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
75.  
76. comp
77. --------------
78. wscript.exe 2020 94.73.151.62 80 ESTABLISHED
79.  
80. radCA388.tmp 3240 128.31.0.39 9101 ESTABLISHED
81. radCA388.tmp 3240 193.23.244.244 443 ESTABLISHED
82. radCA388.tmp 3240 188.138.1.166 9001 ESTABLISHED
83. radCA388.tmp 3240 163.172.170.52 9001 ESTABLISHED
84. radCA388.tmp 3240 37.187.1.29 9001 ESTABLISHED
85. radCA388.tmp 3240 163.172.170.52 9001 ESTABLISHED
86.  
87. [System] 0 104.16.17.96 80 TIME_WAIT
88. [System] 0 104.18.35.131 80 TIME_WAIT
89. radCA388.tmp 3240 128.31.0.39 9101 ESTABLISHED
90. radCA388.tmp 3240 193.23.244.244 443 ESTABLISHED
91. radCA388.tmp 3240 188.138.1.166 9001 ESTABLISHED
92. radCA388.tmp 3240 163.172.170.52 9001 ESTABLISHED
93. radCA388.tmp 3240 37.187.1.29 9001 ESTABLISHED
94.  
95. proc
96. --------------
97. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\информация о заказе.js"
98. "C:\Windows\System32\cmd.exe" /c C:\tmp\radCA388.tmp
99. C:\tmp\radCA388.tmp
100. C:\Windows\system32\vssadmin.exe List Shadows
101. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
102. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
103. C:\Windows\SysWOW64\chcp.com
104.  
105. persist
106. --------------
107. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 16:30
108. Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 13:17
109.  
110. drop
111. --------------
112. C:\tmp\radCA388.tmp
113.  
114. C:\tmp\6893A5D897\cached-certs
115. C:\tmp\6893A5D897\cached-microdesc-consensus
116. C:\tmp\6893A5D897\cached-microdescs.new
117. C:\tmp\6893A5D897\lock
118. C:\tmp\6893A5D897\state
119.  
120. C:\ProgramData\Windows\csrss.exe
121.  
122. VR
123.  
124. # # #
125. https://www.virustotal.com/#/file/b79ac38d763012ff7dd67517773be989b7b07500e073ea76a1f76f097fefbda3/details
126. https://www.virustotal.com/#/file/0d04ea36263742ff3e501fd9dcdf2f60b60d6a10262fa05fcc33ec2829cd7759/details
127. https://www.virustotal.com/#/file/a6c7c2b620d607165ea4dafb936df998061fde1262e1ff477078a0528e3ea13a/details
128. https://www.virustotal.com/#/file/925b389565fcfca729ebdc6f8aef4aa37186d5ac70ced53099321acdc51086d4/details
129. https://analyze.intezer.com/#/analyses/21ae0292-2dcf-4ced-b979-754451242c2d
130.  
131. @