SHARE
TWEET

#troldesh_150119

VRad Jan 15th, 2019 (edited) 192 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/mwbpijXN
  4.  
  5. previous contact:
  6. 14/01/19        https://pastebin.com/yM1wATJ9
  7. 28/12/18        https://pastebin.com/E3isAsmV
  8. 26/12/18        https://pastebin.com/kx8Y0XzR
  9. 25/12/18        https://pastebin.com/xNRiz3QW
  10. 24/12/18        https://pastebin.com/mMMZe73m
  11. 12/11/18        https://pastebin.com/1y8MpRZq
  12. 14/09/18        https://pastebin.com/q6L376A8
  13. 14/09/18        https://pastebin.com/L8MvAccK
  14. 12/09/18        https://pastebin.com/LNHmd7Un
  15.  
  16. FAQ:
  17. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  18. https://secrary.com/ReversingMalware/UnpackingShade/
  19.  
  20. attack_vector
  21. --------------
  22. email attach .ZIP > 2nd .ZIP > JS > WSH > GET *.jpg > %temp%\*.tmp
  23.  
  24. email_headers
  25. --------------
  26.  
  27. Received: from spam.gachon.ac.kr (203.249.127.239) by srv8.victim1.com
  28. Received: from COMPUTER ( [178.184.25.134])
  29.     by spam.gachon.ac.kr (DEEPSoft WBlock.s.h 5.04.493)
  30.     for <user0@victim1.com>; Tue, 15 Jan 2019 17:57:31 +0900
  31. From: Жданов <dgsong@gachon.ac.kr>
  32. Reply-To: Жданов <dgsong@gachon.ac.kr>
  33. Return-Path: dgsong@gachon.ac.kr
  34. To: <user0@victim1.com>
  35. Subject: подробности заказа
  36.  
  37. files
  38. --------------
  39. SHA-256 25fe108fe4a1c8635cfc0cb97fb696f71679fd91930a48004add17c362433cce
  40. File name   info.zip        [Zip archive data, at least v2.0 to extract]
  41. File size   3.27 KB
  42.  
  43. SHA-256 9bfc62dbd063b0bb38c38c9b3a377d8de1e8682b5ee071955acf9e5a38e36402
  44. File name   info.zip (2)        [Zip archive data, at least v2.0 to extract]
  45. File size   3.17 KB
  46.  
  47. SHA-256 1a80aad4ed919acd36eceda4577d935e02a296d3fe895b8d7b306ae20a5628fe
  48. File name   Информация.js     [ASCII text, with CRLF, LF line terminators]
  49. File size   6.55 KB
  50.  
  51. SHA-256 d5c0d8ca4705ca31a8742292b0274182e89eabae1f476b14ace611c90fe2400f
  52. File name   ssj.jpg         [PE32 executable (GUI) Intel 80386, for MS Windows]
  53. File size   1.42 MB
  54.  
  55. activity
  56. **************
  57.  
  58. pl_src:    
  59. tanoils{.} com{.} vn/wp-content/themes/flatsome/woocommerce/cart/ssj.jpg
  60. vimarkaquaculture{.} com/wp-content/themes/unero/lang/ssj.jpg
  61. fusioncoin{.} site/wordpress-4.8-ja-jetpack_webfont-undernavicontrol/wp-admin/css/colors/blue/ssj.jpg
  62. mukhtaraindonesiawisata{.} com/wp-content/themes/twentyeleven/colors/ssj.jpg
  63. tulsimedia{.} com/wp-content/themes/publisher/views/general/ajax-search/ssj.jpg
  64. yerdendolumtesis{.} com/blog/cache/ssj.jpg
  65. pagasahora{.} com/wp-content/themes/oceanwp/tribe-events/ssj.jpg
  66. duandojiland-sapphire{.} com/.well-known/pki-validation/ssj.jpg
  67.  
  68. .crypted000007
  69.  
  70. pilotpilot088@gmail.com
  71.  
  72. netwrk
  73. --------------
  74. http
  75. 35.247.142.226  tanoils{.} com{.} vn    GET /wp-content/themes/flatsome/woocommerce/cart/ssj.jpg    Mozilla/4.0
  76.  
  77. ssl
  78. 194.109.206.212 nnmzhoimhdluarso{.} com    
  79. 193.23.244.244  2jcicwly5lhk74jnpm{.} com  
  80.  
  81. comp
  82. --------------
  83. wscript.exe 3516    35.247.142.226  80  ESTABLISHED
  84. rad1924A.tmp    3132    127.0.0.1   51323   ESTABLISHED
  85. rad1924A.tmp    3132    127.0.0.1   51322   ESTABLISHED
  86. rad1924A.tmp    3132    193.23.244.244  443 ESTABLISHED
  87. rad1924A.tmp    3132    194.109.206.212 443 ESTABLISHED
  88. rad1924A.tmp    3132    68.183.111.189  9001    ESTABLISHED
  89.  
  90. proc
  91. --------------
  92. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация.js"
  93. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad1924A.tmp
  94. C:\tmp\rad1924A.tmp
  95. C:\Windows\system32\vssadmin.exe List Shadows
  96. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  97.  
  98. persist
  99. --------------
  100. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              09.01.2019 10:12   
  101. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    15.01.2019 11:01   
  102.  
  103. drop
  104. --------------
  105. C:\tmp\rad1924A.tmp
  106. C:\tmp\6893A5D897\cached-certs
  107. C:\tmp\6893A5D897\cached-microdesc-consensus
  108. C:\tmp\6893A5D897\lock
  109. C:\tmp\6893A5D897\state
  110. C:\ProgramData\Windows\csrss.exe
  111. C:\ProgramData\System32\xfs
  112.  
  113. # # #
  114. https://www.virustotal.com/#/file/25fe108fe4a1c8635cfc0cb97fb696f71679fd91930a48004add17c362433cce/details
  115. https://www.virustotal.com/#/file/9bfc62dbd063b0bb38c38c9b3a377d8de1e8682b5ee071955acf9e5a38e36402/details
  116. https://www.virustotal.com/#/file/1a80aad4ed919acd36eceda4577d935e02a296d3fe895b8d7b306ae20a5628fe/details
  117. https://www.virustotal.com/#/file/d5c0d8ca4705ca31a8742292b0274182e89eabae1f476b14ace611c90fe2400f/details
  118. https://analyze.intezer.com/#/analyses/695901d5-db62-4797-b06d-2a1590a12881
  119.  
  120. VR
  121.  
  122. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top