#troldesh_241218

1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
2.  
3. https://pastebin.com/mMMZe73m
4.  
5. previous contact:
6. 12/11/18    https://pastebin.com/1y8MpRZq
7. 14/09/18        https://pastebin.com/q6L376A8
8. 14/09/18        https://pastebin.com/L8MvAccK
9. 12/09/18        https://pastebin.com/LNHmd7Un
10.  
11. FAQ:
12. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
13. https://secrary.com/ReversingMalware/UnpackingShade/
14.  
15. attack_vector
16. --------------
17. email attach .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
18.  
19. email_headers
20. --------------
21. n/a
22.  
23. files
24. --------------
25. SHA-256 c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18
26. File name   24.12.2018.docx.zip     [Zip archive data, at least v2.0 to extract]
27. File size   3.22 KB
28.  
29. SHA-256 0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e
30. File name   отдел спецпроектов заказ 21.12.2018.js
31. File size   6.49 KB
32.  
33. SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
34. File name   sserv.jpg (csrss.exe)       [PE32 executable (GUI) Intel 80386, for MS Windows]
35. File size   1.02 MB
36.  
37. activity
38. **************
39.  
40. pl_src:     h11p:\ bottraxanhtini{.} com/wp-content/themes/coinpr/assets/css/sserv.jpg
41.  
42. .crypted000007
43.  
44. pilotpilot088@gmail.com
45.  
46. netwrk
47. --------------
48. ssl
49. 185.100.84.251  www.svgrjonzk3myor.com      Client Hello   
50. 62.141.39.160   www.m7r36d5q.com        Client Hello   
51. 194.109.206.212 www.4icku6mw6244ndu5qy.com  Client Hello   
52. 62.138.18.136   sicherr.com         Client Hello   
53.  
54. http
55. 104.16.19.96    whatismyipaddress.com       GET / HTTP/1.1  Mozilla/5.0
56. 104.18.35.131   whatsmyip.net           GET / HTTP/1.1  Mozilla/5.0
57.  
58. comp
59. --------------
60. wscript.exe     3896    62.138.18.136   443 ESTABLISHED
61. radD1CBD.tmp        2212    127.0.0.1   50950   ESTABLISHED
62. radD1CBD.tmp        2212    127.0.0.1   50949   ESTABLISHED
63. radD1CBD.tmp        2212    154.35.32.5 443 SYN_SENT
64. [System Process]    0   104.16.19.96    80  TIME_WAIT
65. [System Process]    0   104.18.35.131   80  TIME_WAIT
66. radD1CBD.tmp        2212    128.31.0.39 9101    ESTABLISHED
67. radD1CBD.tmp        2212    194.109.206.212 443 ESTABLISHED
68. radD1CBD.tmp        2212    62.141.39.160   443 ESTABLISHED
69. radD1CBD.tmp        2212    185.100.84.251  443 ESTABLISHED
70. radD1CBD.tmp        2212    51.15.89.36 9100    ESTABLISHED
71.  
72. proc
73. --------------
74. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\отдел спецпроектов заказ 21.12.2018.js"
75. "C:\Windows\System32\cmd.exe" /c C:\tmp\radD1CBD.tmp
76. C:\tmp\radD1CBD.tmp
77. C:\Windows\system32\vssadmin.exe List Shadows
78. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
79. C:\Windows\system32\cmd.exe
80. C:\Windows\SysWOW64\chcp.com
81.  
82. persist
83. --------------
84. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              26.12.2018 12:37   
85. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    26.12.2018 5:23
86.  
87. drop
88. --------------
89. C:\tmp\radD1CBD.tmp
90.  
91. C:\tmp\6893A5D897\cached-certs
92. C:\tmp\6893A5D897\cached-microdesc-consensus
93. C:\tmp\6893A5D897\cached-microdescs.new
94. C:\tmp\6893A5D897\lock
95. C:\tmp\6893A5D897\state
96.  
97. C:\ProgramData\Windows\csrss.exe
98.  
99. VR
100.  
101. # # #
102. https://www.virustotal.com/#/file/c30967f611535625c4b6a883affa77edaa008d5cd939a2b5ebc8daf946fc3d18/details
103. https://www.virustotal.com/#/file/0a326bd062fe5c8f95718c0426a71c210f60687c49195396553108b9de5f1e5e/details
104. https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
105. https://analyze.intezer.com/#/analyses/66d523a1-b4f6-4216-9467-1e6c9e3d5f4c
106.  
107. @