Advertisement
VRad

#troldesh_241218

Dec 26th, 2018
714
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.33 KB | None | 0 0
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/mMMZe73m
  4.  
  5. previous contact:
  6. 12/11/18 https://pastebin.com/1y8MpRZq
  7. 14/09/18 https://pastebin.com/q6L376A8
  8. 14/09/18 https://pastebin.com/L8MvAccK
  9. 12/09/18 https://pastebin.com/LNHmd7Un
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  13. https://secrary.com/ReversingMalware/UnpackingShade/
  14.  
  15. attack_vector
  16. --------------
  17. email attach .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
  18.  
  19. email_headers
  20. --------------
  21. n/a
  22.  
  23. files
  24. --------------
  25. SHA-256 c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18
  26. File name 24.12.2018.docx.zip [Zip archive data, at least v2.0 to extract]
  27. File size 3.22 KB
  28.  
  29. SHA-256 0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e
  30. File name отдел спецпроектов заказ 21.12.2018.js
  31. File size 6.49 KB
  32.  
  33. SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
  34. File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
  35. File size 1.02 MB
  36.  
  37. activity
  38. **************
  39.  
  40. pl_src: h11p:\ bottraxanhtini{.} com/wp-content/themes/coinpr/assets/css/sserv.jpg
  41.  
  42. .crypted000007
  43.  
  44.  
  45. netwrk
  46. --------------
  47. ssl
  48. 185.100.84.251 www.svgrjonzk3myor.com Client Hello
  49. 62.141.39.160 www.m7r36d5q.com Client Hello
  50. 194.109.206.212 www.4icku6mw6244ndu5qy.com Client Hello
  51. 62.138.18.136 sicherr.com Client Hello
  52.  
  53. http
  54. 104.16.19.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
  55. 104.18.35.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
  56.  
  57. comp
  58. --------------
  59. wscript.exe 3896 62.138.18.136 443 ESTABLISHED
  60. radD1CBD.tmp 2212 127.0.0.1 50950 ESTABLISHED
  61. radD1CBD.tmp 2212 127.0.0.1 50949 ESTABLISHED
  62. radD1CBD.tmp 2212 154.35.32.5 443 SYN_SENT
  63. [System Process] 0 104.16.19.96 80 TIME_WAIT
  64. [System Process] 0 104.18.35.131 80 TIME_WAIT
  65. radD1CBD.tmp 2212 128.31.0.39 9101 ESTABLISHED
  66. radD1CBD.tmp 2212 194.109.206.212 443 ESTABLISHED
  67. radD1CBD.tmp 2212 62.141.39.160 443 ESTABLISHED
  68. radD1CBD.tmp 2212 185.100.84.251 443 ESTABLISHED
  69. radD1CBD.tmp 2212 51.15.89.36 9100 ESTABLISHED
  70.  
  71. proc
  72. --------------
  73. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\отдел спецпроектов заказ 21.12.2018.js"
  74. "C:\Windows\System32\cmd.exe" /c C:\tmp\radD1CBD.tmp
  75. C:\tmp\radD1CBD.tmp
  76. C:\Windows\system32\vssadmin.exe List Shadows
  77. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  78. C:\Windows\system32\cmd.exe
  79. C:\Windows\SysWOW64\chcp.com
  80.  
  81. persist
  82. --------------
  83. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 12:37
  84. Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 5:23
  85.  
  86. drop
  87. --------------
  88. C:\tmp\radD1CBD.tmp
  89.  
  90. C:\tmp\6893A5D897\cached-certs
  91. C:\tmp\6893A5D897\cached-microdesc-consensus
  92. C:\tmp\6893A5D897\cached-microdescs.new
  93. C:\tmp\6893A5D897\lock
  94. C:\tmp\6893A5D897\state
  95.  
  96. C:\ProgramData\Windows\csrss.exe
  97.  
  98. VR
  99.  
  100. # # #
  101. https://www.virustotal.com/#/file/c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18/details
  102. https://www.virustotal.com/#/file/0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e/details
  103. https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
  104. https://analyze.intezer.com/#/analyses/66d523a1-b4f6-4216-9467-1e6c9e3d5f4c
  105.  
  106. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement