SHARE
TWEET

#troldesh_241218

VRad Dec 26th, 2018 (edited) 464 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/mMMZe73m
  4.  
  5. previous contact:
  6. 12/11/18    https://pastebin.com/1y8MpRZq
  7. 14/09/18        https://pastebin.com/q6L376A8
  8. 14/09/18        https://pastebin.com/L8MvAccK
  9. 12/09/18        https://pastebin.com/LNHmd7Un
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  13. https://secrary.com/ReversingMalware/UnpackingShade/
  14.  
  15. attack_vector
  16. --------------
  17. email attach .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
  18.  
  19. email_headers
  20. --------------
  21. n/a
  22.  
  23. files
  24. --------------
  25. SHA-256 c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18
  26. File name   24.12.2018.docx.zip     [Zip archive data, at least v2.0 to extract]
  27. File size   3.22 KB
  28.  
  29. SHA-256 0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e
  30. File name   отдел спецпроектов заказ 21.12.2018.js
  31. File size   6.49 KB
  32.  
  33. SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
  34. File name   sserv.jpg (csrss.exe)       [PE32 executable (GUI) Intel 80386, for MS Windows]
  35. File size   1.02 MB
  36.  
  37. activity
  38. **************
  39.  
  40. pl_src:     h11p:\ bottraxanhtini{.} com/wp-content/themes/coinpr/assets/css/sserv.jpg
  41.  
  42. .crypted000007
  43.  
  44. pilotpilot088@gmail.com
  45.  
  46. netwrk
  47. --------------
  48. ssl
  49. 185.100.84.251  www.svgrjonzk3myor.com      Client Hello   
  50. 62.141.39.160   www.m7r36d5q.com        Client Hello   
  51. 194.109.206.212 www.4icku6mw6244ndu5qy.com  Client Hello   
  52. 62.138.18.136   sicherr.com         Client Hello   
  53.  
  54. http
  55. 104.16.19.96    whatismyipaddress.com       GET / HTTP/1.1  Mozilla/5.0
  56. 104.18.35.131   whatsmyip.net           GET / HTTP/1.1  Mozilla/5.0
  57.  
  58. comp
  59. --------------
  60. wscript.exe     3896    62.138.18.136   443 ESTABLISHED
  61. radD1CBD.tmp        2212    127.0.0.1   50950   ESTABLISHED
  62. radD1CBD.tmp        2212    127.0.0.1   50949   ESTABLISHED
  63. radD1CBD.tmp        2212    154.35.32.5 443 SYN_SENT
  64. [System Process]    0   104.16.19.96    80  TIME_WAIT
  65. [System Process]    0   104.18.35.131   80  TIME_WAIT
  66. radD1CBD.tmp        2212    128.31.0.39 9101    ESTABLISHED
  67. radD1CBD.tmp        2212    194.109.206.212 443 ESTABLISHED
  68. radD1CBD.tmp        2212    62.141.39.160   443 ESTABLISHED
  69. radD1CBD.tmp        2212    185.100.84.251  443 ESTABLISHED
  70. radD1CBD.tmp        2212    51.15.89.36 9100    ESTABLISHED
  71.  
  72. proc
  73. --------------
  74. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\отдел спецпроектов заказ 21.12.2018.js"
  75. "C:\Windows\System32\cmd.exe" /c C:\tmp\radD1CBD.tmp
  76. C:\tmp\radD1CBD.tmp
  77. C:\Windows\system32\vssadmin.exe List Shadows
  78. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  79. C:\Windows\system32\cmd.exe
  80. C:\Windows\SysWOW64\chcp.com
  81.  
  82. persist
  83. --------------
  84. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              26.12.2018 12:37   
  85. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    26.12.2018 5:23
  86.  
  87. drop
  88. --------------
  89. C:\tmp\radD1CBD.tmp
  90.  
  91. C:\tmp\6893A5D897\cached-certs
  92. C:\tmp\6893A5D897\cached-microdesc-consensus
  93. C:\tmp\6893A5D897\cached-microdescs.new
  94. C:\tmp\6893A5D897\lock
  95. C:\tmp\6893A5D897\state
  96.  
  97. C:\ProgramData\Windows\csrss.exe
  98.  
  99. VR
  100.  
  101. # # #
  102. https://www.virustotal.com/#/file/c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18/details
  103. https://www.virustotal.com/#/file/0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e/details
  104. https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
  105. https://analyze.intezer.com/#/analyses/66d523a1-b4f6-4216-9467-1e6c9e3d5f4c
  106.  
  107. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top