Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/mMMZe73m
- previous contact:
- 12/11/18 https://pastebin.com/1y8MpRZq
- 14/09/18 https://pastebin.com/q6L376A8
- 14/09/18 https://pastebin.com/L8MvAccK
- 12/09/18 https://pastebin.com/LNHmd7Un
- FAQ:
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- https://secrary.com/ReversingMalware/UnpackingShade/
- attack_vector
- --------------
- email attach .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18
- File name 24.12.2018.docx.zip [Zip archive data, at least v2.0 to extract]
- File size 3.22 KB
- SHA-256 0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e
- File name отдел спецпроектов заказ 21.12.2018.js
- File size 6.49 KB
- SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
- File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.02 MB
- activity
- **************
- pl_src: h11p:\ bottraxanhtini{.} com/wp-content/themes/coinpr/assets/css/sserv.jpg
- .crypted000007
- pilotpilot088@gmail.com
- netwrk
- --------------
- ssl
- 185.100.84.251 www.svgrjonzk3myor.com Client Hello
- 62.141.39.160 www.m7r36d5q.com Client Hello
- 194.109.206.212 www.4icku6mw6244ndu5qy.com Client Hello
- 62.138.18.136 sicherr.com Client Hello
- http
- 104.16.19.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
- 104.18.35.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
- comp
- --------------
- wscript.exe 3896 62.138.18.136 443 ESTABLISHED
- radD1CBD.tmp 2212 127.0.0.1 50950 ESTABLISHED
- radD1CBD.tmp 2212 127.0.0.1 50949 ESTABLISHED
- radD1CBD.tmp 2212 154.35.32.5 443 SYN_SENT
- [System Process] 0 104.16.19.96 80 TIME_WAIT
- [System Process] 0 104.18.35.131 80 TIME_WAIT
- radD1CBD.tmp 2212 128.31.0.39 9101 ESTABLISHED
- radD1CBD.tmp 2212 194.109.206.212 443 ESTABLISHED
- radD1CBD.tmp 2212 62.141.39.160 443 ESTABLISHED
- radD1CBD.tmp 2212 185.100.84.251 443 ESTABLISHED
- radD1CBD.tmp 2212 51.15.89.36 9100 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\отдел спецпроектов заказ 21.12.2018.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\radD1CBD.tmp
- C:\tmp\radD1CBD.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- C:\Windows\system32\cmd.exe
- C:\Windows\SysWOW64\chcp.com
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 12:37
- Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 5:23
- drop
- --------------
- C:\tmp\radD1CBD.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\cached-microdescs.new
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- VR
- # # #
- https://www.virustotal.com/#/file/c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18/details
- https://www.virustotal.com/#/file/0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e/details
- https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
- https://analyze.intezer.com/#/analyses/66d523a1-b4f6-4216-9467-1e6c9e3d5f4c
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement