Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/xNRiz3QW
- previous contact:
- 24/12/18 https://pastebin.com/mMMZe73m
- 12/11/18 https://pastebin.com/1y8MpRZq
- 14/09/18 https://pastebin.com/q6L376A8
- 14/09/18 https://pastebin.com/L8MvAccK
- 12/09/18 https://pastebin.com/LNHmd7Un
- FAQ:
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- https://secrary.com/ReversingMalware/UnpackingShade/
- attack_vector
- --------------
- email attach .ZIP > 2nd .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
- email_headers
- --------------
- Received: from talisman-so.ru (mx.talisman-so.ru [78.138.159.100])
- by srv8.victim1.com for <user0@org7.victim1.com>;
- (envelope-from lapina@talisman-so.ru)
- Date: Tue, 25 Dec 2018 10:00:08 +0200 (EET)
- Received: from COMPUTER (unknown [116.111.40.131])
- by talisman-so.ru (Postfix) with ESMTPSA id CBE04FFC70
- for <user0@org7.victim1.com>; Tue, 25 Dec 2018 10:59:57 +0300 (MSK)
- From: Кулаков Росбанк <lapina@srv8.victim1.com>
- Reply-To: Кулаков Росбанк <lapina@srv8.victim1.com>
- To: user0@org7.victim1.com
- Subject: подробности заказа
- files
- --------------
- SHA-256 dc198ca833ffd29c4199fd28c399bf8db689b4329e5becfe7da2e9663c0699f1
- File name info.zip [Zip archive data, at least v2.0 to extract]
- File size 3.32 KB
- SHA-256 66553d13a271a852d0faa7614ecee488d3711076892575f2df3a511c5c4ccde2
- File name zakaz.3001.docx.zip [Zip archive data, at least v2.0 to extract]
- File size 3.18 KB
- SHA-256 19658b7c05aa929330984589cd45d453cab0515e6deed98195f1b4369f207b54
- File name информация о заказе.js
- File size 6.59 KB
- SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
- File name sserv.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.02 MB
- activity
- **************
- pl_src: h11p:\ rusblognews {.}com/cgi-bin/sserv.jpg
- .crypted000007
- pilotpilot088@gmail.com
- netwrk
- --------------
- ssl
- 91.143.93.9 www.vyeypiu4rxs5ve23kc263.com Client Hello
- 131.188.40.189 www.ffowns6rx.com Client Hello
- 194.109.206.212 www.boefdch.com Client Hello
- 185.101.35.159 densunnesnute.no Client Hello
- http
- 185.50.25.48 rusblognews.com GET /cgi-bin/sserv.jpg HTTP/1.1 Mozilla/4.0 (compatible;
- 104.18.34.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
- 104.16.17.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
- comp
- --------------
- wscript.exe 2896 185.50.25.48 80 ESTABLISHED
- wscript.exe 2896 185.101.35.159 443 ESTABLISHED
- rad12484.tmp 2216 127.0.0.1 50956 ESTABLISHED
- rad12484.tmp 2216 127.0.0.1 50955 ESTABLISHED
- rad12484.tmp 2216 131.188.40.189 443 ESTABLISHED
- rad12484.tmp 2216 194.109.206.212 443 ESTABLISHED
- rad12484.tmp 2216 94.130.34.199 9001 ESTABLISHED
- rad12484.tmp 2216 195.154.119.203 9001 ESTABLISHED
- [System] 0 104.16.17.96 80 TIME_WAIT
- [System] 0 104.18.34.131 80 TIME_WAIT
- rad12484.tmp 2216 91.143.93.9 995 ESTABLISHED
- rad12484.tmp 2216 195.154.119.203 9001 ESTABLISHED
- rad12484.tmp 2216 127.0.0.1 50956 ESTABLISHED
- rad12484.tmp 2216 127.0.0.1 50955 ESTABLISHED
- rad12484.tmp 2216 94.130.34.199 9001 ESTABLISHED
- rad12484.tmp 2216 91.143.93.9 995 ESTABLISHED
- rad12484.tmp 2216 195.154.119.203 9001 ESTABLISHED
- rad12484.tmp 2216 localhost 50956 ESTABLISHED
- rad12484.tmp 2216 localhost 50955 ESTABLISHED
- rad12484.tmp 2216 ra.horus-it.com 9001 ESTABLISHED
- rad12484.tmp 2216 91-143-93-9.icho pop3s ESTABLISHED
- rad12484.tmp 2216 195-154-119-203.rev.poneytelecom.eu 9001 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\информация о заказе.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\rad12484.tmp
- C:\tmp\rad12484.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\chcp.com
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 12:50
- Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 13:17
- drop
- --------------
- C:\tmp\rad12484.tmp
- C:\ProgramData\Windows\csrss.exe
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- VR
- # # #
- https://www.virustotal.com/#/file/dc198ca833ffd29c4199fd28c399bf8db689b4329e5becfe7da2e9663c0699f1/details
- https://www.virustotal.com/#/file/66553d13a271a852d0faa7614ecee488d3711076892575f2df3a511c5c4ccde2/details
- https://www.virustotal.com/#/file/19658b7c05aa929330984589cd45d453cab0515e6deed98195f1b4369f207b54/details
- https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
- https://analyze.intezer.com/#/analyses/b9549b1d-0980-4400-9c06-95b943e85122
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement