VRad

#troldesh_250219

Feb 25th, 2019
209
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/vMUxTH8C
  4.  
  5. previous contact:
  6. 20/02/18 https://pastebin.com/4XDjjWZh
  7. 28/12/18 https://pastebin.com/E3isAsmV
  8. 26/12/18 https://pastebin.com/kx8Y0XzR
  9. 25/12/18 https://pastebin.com/xNRiz3QW
  10. 24/12/18 https://pastebin.com/mMMZe73m
  11.  
  12. FAQ:
  13. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
  14. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  15.  
  16. attack_vector
  17. --------------
  18. email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
  19.  
  20. email_headers
  21. --------------
  22. Received: from asg.aut.ac.ir (asg525.aut.ac.ir [185.211.88.20])
  23. Fri, 22 Feb 2019 04:56:35 -0800 (PST)
  24. Reply-To: Кудряшов <s_zohoor@aut.ac.ir>
  25. From: Кудряшов <s_zohoor@aut.ac.ir>
  26. To: <user0@victim1.com>
  27. Subject: заказ
  28.  
  29. files
  30. --------------
  31. SHA-256 9165070279d7516c907bb4172b15186fc8ba9e6ec410cfc2050789f4f1c70c18
  32. File name pik.zip [Zip archive data, at least v2.0 to extract]
  33. File size 3.49 KB
  34.  
  35. SHA-256 521c58d36bad8de5582f9591bd76b62ff6096743324f4bd4cdad300c31737823
  36. File name ПАО «Группа Компаний ПИК» подробности заказа.js [ASCII text, with CRLF]
  37. File size 6.95 KB
  38.  
  39. SHA-256 8c9b5e458aa1d4733ab5f826029721e5ab4b45e3ffff369ae022d4a67fa45267
  40. File name msg.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
  41. File size 1.25 MB
  42.  
  43. activity
  44. **************
  45. PL_SRC:
  46. http://vemaprojects{.} be/templates/theme530/css/msg.jpg
  47.  
  48. netwrk
  49. --------------
  50. http.request.method == GET
  51. 85.255.199.31 vemaprojects{.} be GET /templates/theme530/css/msg.jpg HTTP/1.1 Mozilla/4.0
  52.  
  53. ssl
  54. 86.59.21.38 toq7utsylx3oz44i6rfjjnk.com Client Hello
  55. 131.188.40.189 sfe6esldpgtctm24.com Client Hello
  56. 163.172.4.100 dbw7deumfy6wxbrqkyg4c.com Client Hello
  57.  
  58. comp
  59. --------------
  60. wscript.exe 1496 TCP localhost 49232 85.255.199.31 80 ESTABLISHED
  61.  
  62. rad83EF8.tmp 924 TCP localhost 49233 localhost 49234 ESTABLISHED
  63. rad83EF8.tmp 924 TCP localhost 49234 localhost 49233 ESTABLISHED
  64. rad83EF8.tmp 924 TCP localhost 49235 131.188.40.189 443 ESTABLISHED
  65. rad83EF8.tmp 924 TCP localhost 49236 86.59.21.38 443 ESTABLISHED
  66. rad83EF8.tmp 924 TCP localhost 49237 163.172.4.100 443 ESTABLISHED
  67. rad83EF8.tmp 924 TCP localhost 49238 173.212.226.76 9001 ESTABLISHED
  68. rad83EF8.tmp 924 TCP localhost 49239 193.108.117.59 9001 ESTABLISHED
  69.  
  70. proc
  71. --------------
  72. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js"
  73. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad83EF8.tmp
  74. C:\tmp\rad83EF8.tmp
  75. C:\Windows\system32\vssadmin.exe List Shadows
  76. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  77.  
  78. persist
  79. --------------
  80. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.02.2019 13:09
  81. Client Server Runtime Subsystem
  82. c:\programdata\windows\csrss.exe 25.02.2019 11:20
  83.  
  84. drop
  85. --------------
  86. C:\tmp\rad83EF8.tmp
  87.  
  88. C:\tmp\6893A5D897\cached-certs
  89. C:\tmp\6893A5D897\cached-microdesc-consensus
  90. C:\tmp\6893A5D897\lock
  91. C:\tmp\6893A5D897\state
  92.  
  93. C:\ProgramData\Windows\csrss.exe
  94.  
  95. # # #
  96. https://www.virustotal.com/#/file/9165070279d7516c907bb4172b15186fc8ba9e6ec410cfc2050789f4f1c70c18/details
  97. https://www.virustotal.com/#/file/521c58d36bad8de5582f9591bd76b62ff6096743324f4bd4cdad300c31737823/details
  98. https://www.virustotal.com/#/file/8c9b5e458aa1d4733ab5f826029721e5ab4b45e3ffff369ae022d4a67fa45267/details
  99. https://analyze.intezer.com/#/analyses/804f1fba-bc4c-44e5-92c5-4ee844128e20
  100.  
  101. VR
  102.  
  103. @
RAW Paste Data