SHARE
TWEET

#adwind_050819

VRad Aug 7th, 2019 (edited) 671 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #macro #adwind
  2.  
  3. https://pastebin.com/v2kfP17r
  4.  
  5. previous_contact:
  6. n/a
  7.  
  8. FAQ:
  9. https://radetskiy.wordpress.com/2018/05/11/ioc_adwind_100518/
  10.  
  11. attack_vector
  12. --------------
  13. email attach .DOC > macro > GET jar
  14.  
  15. email_headers
  16. --------------
  17. Received: from lrwdd2.directrouter.com (lrwdd2.directrouter.com [206.123.119.186])
  18. Date: Mon, 05 Aug 2019 04:22:00 -0500
  19. From: cellardoor@palmerwines.com.au
  20. To: user00@victim77.com
  21. Subject: Fwd: Purchasing Oder
  22. X-Sender: cellardoor@palmerwines.com.au
  23. User-Agent: Roundcube Webmail/1.3.8
  24.  
  25. files
  26. --------------
  27. SHA-256     ec845d4c57715e83a80467cfce273e3c54c89aca5229e3f2476057e234c1c0bd
  28. File name   PO JAR.doc
  29. File size   508 KB (520192 bytes)
  30.  
  31. SHA-256     a104db76b0b3b8387674918217806325a9db2cf0951e9ec9f88ff6a80d9585b7
  32. File name   umucry.jar
  33. File size   652.17 KB (667818 bytes)
  34.  
  35. activity
  36. **************
  37.  
  38. PL_SCR
  39. h11ps\kcexports{.} me/umucry.jar
  40.  
  41. C2
  42. 67.207.93.17
  43. 192.169.69.25  
  44.  
  45. netwrk
  46. --------------
  47. [ssl]
  48. 167.71.13.65    kcexports{.} me Client Hello
  49.  
  50. comp
  51. --------------
  52. WINWORD.EXE 172     TCP localhost   49217   162.255.119.195 443 SYN_SENT
  53. WINWORD.EXE 172     TCP localhost   49218   167.71.13.65    443 ESTABLISHED
  54. wscript.exe 2212        TCP localhost   49219   67.207.93.17    7744    SYN_SENT
  55. java.exe    2204        TCP localhost   49222   localhost   7777    SYN_SENT
  56. javaw.exe   1724        TCP localhost   49221   185.244.31.111  7788    SYN_SENT
  57. wscript.exe 2212        TCP localhost   49219   67.207.93.17    7744    SYN_SENT
  58. javaw.exe   1724        TCP localhost   49240   192.169.69.25   7788    SYN_SENT
  59. wscript.exe 2212        TCP localhost   49230   67.207.93.17    7744    SYN_SENT
  60.  
  61.  
  62. proc
  63. --------------
  64. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  65.     "C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\tmp\nloa9qbv.jar"
  66.     wscript C:\Users\operator\ddmwgktkuz.js
  67.     "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\CgvxwvYwsG.js"
  68.         "C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe"  -jar "C:\Users\operator\AppData\Roaming\sutnspffgo.txt"
  69.         "C:\Program Files\Java\jre1.8.0_131\bin\java.exe" -jar C:\tmp\_0.66710452046253931060377835662046911.class
  70.         C:\Windows\system32\xcopy.exe   xcopy "C:\Program Files\Java\jre1.8.0_131" "C:\Users\operator\AppData\Roaming\Oracle\" /e
  71.         C:\Windows\system32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ULnOQSoPZLF N" /t REG_EXPAND_SZ /d "\"C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ\"" /f
  72.         C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\KODhCgcEnMlN\*.*"
  73.         C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\KODhCgcEnMlN"
  74.     C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ
  75.     C:\Windows\system32\icacls.exe icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\a2160c77c17b5611.timestamp /grant "everyone":(OI)(CI)M
  76.     C:\Users\operator\AppData\Roaming\Oracle\bin\java.exe -jar C:\tmp\_0.53037232544445945746878749339271613.class
  77. . . .
  78.  
  79. persist
  80. --------------
  81. @HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run             05.08.2019 18:06
  82.  
  83.     CgvxwvYwsG          c:\users\operator\appdata\roaming\cgvxwvywsg.js 05.08.2019 18:06   
  84.     wscript.exe //B "C:\Users\operator\AppData\Roaming\CgvxwvYwsG.js"
  85.  
  86.     ULnOQSoPZLF N   Java(TM) Platform SE binary Oracle Corporation  c:\users\operator\appdata\roaming\oracle\bin\javaw.exe  15.03.2017 11:32   
  87.     "C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ"
  88.  
  89. @C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup                05.08.2019 18:06   
  90.  
  91.     CgvxwvYwsG.js           c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\cgvxwvywsg.js   05.08.2019 18:06   
  92.  
  93. drop
  94. --------------
  95. %temp%\nloa9qbv.jar     [umucry[1].jar]
  96. C:\Users\operator\AppData\Roaming\CgvxwvYwsG.js
  97. C:\Users\operator\AppData\Roaming\sutnspffgo.txt
  98. C:\Users\operator\AppData\Roaming\Oracle\bin
  99.  
  100. C:\Users\operator\fUTkALeaTxM
  101. C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ    [jar]
  102. C:\Users\operator\ddmwgktkuz.js
  103.  
  104. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CgvxwvYwsG.js
  105.  
  106. # # #
  107. https://www.virustotal.com/gui/file/ec845d4c57715e83a80467cfce273e3c54c89aca5229e3f2476057e234c1c0bd/details
  108. https://www.virustotal.com/gui/file/a104db76b0b3b8387674918217806325a9db2cf0951e9ec9f88ff6a80d9585b7/details
  109.  
  110. VR
  111.  
  112. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top