#troldesh_241218

1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
2.  
3. https://pastebin.com/mMMZe73m
4.  
5. previous contact:
6. 12/11/18 https://pastebin.com/1y8MpRZq
7. 14/09/18 https://pastebin.com/q6L376A8
8. 14/09/18 https://pastebin.com/L8MvAccK
9. 12/09/18 https://pastebin.com/LNHmd7Un
10.  
11. FAQ:
12. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
13. https://secrary.com/ReversingMalware/UnpackingShade/
14.  
15. attack_vector
16. --------------
17. email attach .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
18.  
19. email_headers
20. --------------
21. n/a
22.  
23. files
24. --------------
25. SHA-256 c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18
26. File name 24.12.2018.docx.zip [Zip archive data, at least v2.0 to extract]
27. File size 3.22 KB
28.  
29. SHA-256 0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e
30. File name отдел спецпроектов заказ 21.12.2018.js
31. File size 6.49 KB
32.  
33. SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
34. File name sserv.jpg (csrss.exe) [PE32 executable (GUI) Intel 80386, for MS Windows]
35. File size 1.02 MB
36.  
37. activity
38. **************
39.  
40. pl_src: h11p:\ bottraxanhtini{.} com/wp-content/themes/coinpr/assets/css/sserv.jpg
41.  
42. .crypted000007
43.  
44. pilotpilot088@gmail.com
45.  
46. netwrk
47. --------------
48. ssl
49. 185.100.84.251 www.svgrjonzk3myor.com Client Hello
50. 62.141.39.160 www.m7r36d5q.com Client Hello
51. 194.109.206.212 www.4icku6mw6244ndu5qy.com Client Hello
52. 62.138.18.136 sicherr.com Client Hello
53.  
54. http
55. 104.16.19.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
56. 104.18.35.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
57.  
58. comp
59. --------------
60. wscript.exe 3896 62.138.18.136 443 ESTABLISHED
61. radD1CBD.tmp 2212 127.0.0.1 50950 ESTABLISHED
62. radD1CBD.tmp 2212 127.0.0.1 50949 ESTABLISHED
63. radD1CBD.tmp 2212 154.35.32.5 443 SYN_SENT
64. [System Process] 0 104.16.19.96 80 TIME_WAIT
65. [System Process] 0 104.18.35.131 80 TIME_WAIT
66. radD1CBD.tmp 2212 128.31.0.39 9101 ESTABLISHED
67. radD1CBD.tmp 2212 194.109.206.212 443 ESTABLISHED
68. radD1CBD.tmp 2212 62.141.39.160 443 ESTABLISHED
69. radD1CBD.tmp 2212 185.100.84.251 443 ESTABLISHED
70. radD1CBD.tmp 2212 51.15.89.36 9100 ESTABLISHED
71.  
72. proc
73. --------------
74. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\отдел спецпроектов заказ 21.12.2018.js"
75. "C:\Windows\System32\cmd.exe" /c C:\tmp\radD1CBD.tmp
76. C:\tmp\radD1CBD.tmp
77. C:\Windows\system32\vssadmin.exe List Shadows
78. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
79. C:\Windows\system32\cmd.exe
80. C:\Windows\SysWOW64\chcp.com
81.  
82. persist
83. --------------
84. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 12:37
85. Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 5:23
86.  
87. drop
88. --------------
89. C:\tmp\radD1CBD.tmp
90.  
91. C:\tmp\6893A5D897\cached-certs
92. C:\tmp\6893A5D897\cached-microdesc-consensus
93. C:\tmp\6893A5D897\cached-microdescs.new
94. C:\tmp\6893A5D897\lock
95. C:\tmp\6893A5D897\state
96.  
97. C:\ProgramData\Windows\csrss.exe
98.  
99. VR
100.  
101. # # #
102. https://www.virustotal.com/#/file/c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18/details
103. https://www.virustotal.com/#/file/0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e/details
104. https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
105. https://analyze.intezer.com/#/analyses/66d523a1-b4f6-4216-9467-1e6c9e3d5f4c
106.  
107. @