Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/vMUxTH8C
- previous contact:
- 20/02/18 https://pastebin.com/4XDjjWZh
- 28/12/18 https://pastebin.com/E3isAsmV
- 26/12/18 https://pastebin.com/kx8Y0XzR
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- FAQ:
- https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- attack_vector
- --------------
- email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
- email_headers
- --------------
- Received: from asg.aut.ac.ir (asg525.aut.ac.ir [185.211.88.20])
- Fri, 22 Feb 2019 04:56:35 -0800 (PST)
- Reply-To: Кудряшов <s_zohoor@aut.ac.ir>
- From: Кудряшов <s_zohoor@aut.ac.ir>
- To: <user0@victim1.com>
- Subject: заказ
- files
- --------------
- SHA-256 9165070279d7516c907bb4172b15186fc8ba9e6ec410cfc2050789f4f1c70c18
- File name pik.zip [Zip archive data, at least v2.0 to extract]
- File size 3.49 KB
- SHA-256 521c58d36bad8de5582f9591bd76b62ff6096743324f4bd4cdad300c31737823
- File name ПАО «Группа Компаний ПИК» подробности заказа.js [ASCII text, with CRLF]
- File size 6.95 KB
- SHA-256 8c9b5e458aa1d4733ab5f826029721e5ab4b45e3ffff369ae022d4a67fa45267
- File name msg.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.25 MB
- activity
- **************
- PL_SRC:
- http://vemaprojects{.} be/templates/theme530/css/msg.jpg
- netwrk
- --------------
- http.request.method == GET
- 85.255.199.31 vemaprojects{.} be GET /templates/theme530/css/msg.jpg HTTP/1.1 Mozilla/4.0
- ssl
- 86.59.21.38 toq7utsylx3oz44i6rfjjnk.com Client Hello
- 131.188.40.189 sfe6esldpgtctm24.com Client Hello
- 163.172.4.100 dbw7deumfy6wxbrqkyg4c.com Client Hello
- comp
- --------------
- wscript.exe 1496 TCP localhost 49232 85.255.199.31 80 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49233 localhost 49234 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49234 localhost 49233 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49235 131.188.40.189 443 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49236 86.59.21.38 443 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49237 163.172.4.100 443 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49238 173.212.226.76 9001 ESTABLISHED
- rad83EF8.tmp 924 TCP localhost 49239 193.108.117.59 9001 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\rad83EF8.tmp
- C:\tmp\rad83EF8.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.02.2019 13:09
- Client Server Runtime Subsystem
- c:\programdata\windows\csrss.exe 25.02.2019 11:20
- drop
- --------------
- C:\tmp\rad83EF8.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- # # #
- https://www.virustotal.com/#/file/9165070279d7516c907bb4172b15186fc8ba9e6ec410cfc2050789f4f1c70c18/details
- https://www.virustotal.com/#/file/521c58d36bad8de5582f9591bd76b62ff6096743324f4bd4cdad300c31737823/details
- https://www.virustotal.com/#/file/8c9b5e458aa1d4733ab5f826029721e5ab4b45e3ffff369ae022d4a67fa45267/details
- https://analyze.intezer.com/#/analyses/804f1fba-bc4c-44e5-92c5-4ee844128e20
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement