API tools faq
paste
Advertisement
VRad

#adwind_050819

VRad
Aug 7th, 2019
1,021
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.34 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #macro #adwind
  2.  
  3. https://pastebin.com/v2kfP17r
  4.  
  5. previous_contact:
  6. n/a
  7.  
  8. FAQ:
  9. https://radetskiy.wordpress.com/2018/05/11/ioc_adwind_100518/
  10.  
  11. attack_vector
  12. --------------
  13. email attach .DOC > macro > GET jar
  14.  
  15. email_headers
  16. --------------
  17. Received: from lrwdd2.directrouter.com (lrwdd2.directrouter.com [206.123.119.186])
  18. Date: Mon, 05 Aug 2019 04:22:00 -0500
  19. From: [email protected]
  20. To: [email protected]
  21. Subject: Fwd: Purchasing Oder
  22. X-Sender: [email protected]
  23. User-Agent: Roundcube Webmail/1.3.8
  24.  
  25. files
  26. --------------
  27. SHA-256 ec845d4c57715e83a80467cfce273e3c54c89aca5229e3f2476057e234c1c0bd
  28. File name PO JAR.doc
  29. File size 508 KB (520192 bytes)
  30.  
  31. SHA-256 a104db76b0b3b8387674918217806325a9db2cf0951e9ec9f88ff6a80d9585b7
  32. File name umucry.jar
  33. File size 652.17 KB (667818 bytes)
  34.  
  35. activity
  36. **************
  37.  
  38. PL_SCR
  39. h11ps\kcexports{.} me/umucry.jar
  40.  
  41. C2
  42. 67.207.93.17
  43. 192.169.69.25
  44.  
  45. netwrk
  46. --------------
  47. [ssl]
  48. 167.71.13.65 kcexports{.} me Client Hello
  49.  
  50. comp
  51. --------------
  52. WINWORD.EXE 172 TCP localhost 49217 162.255.119.195 443 SYN_SENT
  53. WINWORD.EXE 172 TCP localhost 49218 167.71.13.65 443 ESTABLISHED
  54. wscript.exe 2212 TCP localhost 49219 67.207.93.17 7744 SYN_SENT
  55. java.exe 2204 TCP localhost 49222 localhost 7777 SYN_SENT
  56. javaw.exe 1724 TCP localhost 49221 185.244.31.111 7788 SYN_SENT
  57. wscript.exe 2212 TCP localhost 49219 67.207.93.17 7744 SYN_SENT
  58. javaw.exe 1724 TCP localhost 49240 192.169.69.25 7788 SYN_SENT
  59. wscript.exe 2212 TCP localhost 49230 67.207.93.17 7744 SYN_SENT
  60.  
  61.  
  62. proc
  63. --------------
  64. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  65. "C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\tmp\nloa9qbv.jar"
  66. wscript C:\Users\operator\ddmwgktkuz.js
  67. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\CgvxwvYwsG.js"
  68. "C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\operator\AppData\Roaming\sutnspffgo.txt"
  69. "C:\Program Files\Java\jre1.8.0_131\bin\java.exe" -jar C:\tmp\_0.66710452046253931060377835662046911.class
  70. C:\Windows\system32\xcopy.exe xcopy "C:\Program Files\Java\jre1.8.0_131" "C:\Users\operator\AppData\Roaming\Oracle\" /e
  71. C:\Windows\system32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ULnOQSoPZLF N" /t REG_EXPAND_SZ /d "\"C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ\"" /f
  72. C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\KODhCgcEnMlN\*.*"
  73. C:\Windows\system32\attrib.exe attrib +h "C:\Users\operator\KODhCgcEnMlN"
  74. C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ
  75. C:\Windows\system32\icacls.exe icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\a2160c77c17b5611.timestamp /grant "everyone":(OI)(CI)M
  76. C:\Users\operator\AppData\Roaming\Oracle\bin\java.exe -jar C:\tmp\_0.53037232544445945746878749339271613.class
  77. . . .
  78.  
  79. persist
  80. --------------
  81. @HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05.08.2019 18:06
  82.  
  83. CgvxwvYwsG c:\users\operator\appdata\roaming\cgvxwvywsg.js 05.08.2019 18:06
  84. wscript.exe //B "C:\Users\operator\AppData\Roaming\CgvxwvYwsG.js"
  85.  
  86. ULnOQSoPZLF N Java(TM) Platform SE binary Oracle Corporation c:\users\operator\appdata\roaming\oracle\bin\javaw.exe 15.03.2017 11:32
  87. "C:\Users\operator\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ"
  88.  
  89. @C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 05.08.2019 18:06
  90.  
  91. CgvxwvYwsG.js c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\cgvxwvywsg.js 05.08.2019 18:06
  92.  
  93. drop
  94. --------------
  95. %temp%\nloa9qbv.jar [umucry[1].jar]
  96. C:\Users\operator\AppData\Roaming\CgvxwvYwsG.js
  97. C:\Users\operator\AppData\Roaming\sutnspffgo.txt
  98. C:\Users\operator\AppData\Roaming\Oracle\bin
  99.  
  100. C:\Users\operator\fUTkALeaTxM
  101. C:\Users\operator\KODhCgcEnMlN\tHIhwWDFSUNOB.eiZoGwJ [jar]
  102. C:\Users\operator\ddmwgktkuz.js
  103.  
  104. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CgvxwvYwsG.js
  105.  
  106. # # #
  107. https://www.virustotal.com/gui/file/ec845d4c57715e83a80467cfce273e3c54c89aca5229e3f2476057e234c1c0bd/details
  108. https://www.virustotal.com/gui/file/a104db76b0b3b8387674918217806325a9db2cf0951e9ec9f88ff6a80d9585b7/details
  109.  
  110. VR
  111.  
  112. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!