SHARE
TWEET

#troldesh_140119

VRad Jan 15th, 2019 (edited) 186 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/yM1wATJ9
  4.  
  5. previous contact:
  6. 28/12/18        https://pastebin.com/E3isAsmV
  7. 26/12/18        https://pastebin.com/kx8Y0XzR
  8. 25/12/18        https://pastebin.com/xNRiz3QW
  9. 24/12/18        https://pastebin.com/mMMZe73m
  10. 12/11/18        https://pastebin.com/1y8MpRZq
  11. 14/09/18        https://pastebin.com/q6L376A8
  12. 14/09/18        https://pastebin.com/L8MvAccK
  13. 12/09/18        https://pastebin.com/LNHmd7Un
  14.  
  15. FAQ:
  16. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  17. https://secrary.com/ReversingMalware/UnpackingShade/
  18.  
  19. attack_vector
  20. --------------
  21. email attach .ZIP > 2nd .ZIP > JS > WSH > GET > %temp%\*.tmp
  22.  
  23. email_headers
  24. --------------
  25. Return-Path: <gregg@blumoocreative.com>
  26. Received: from spurs.unisonplatform.com (mail69.spurs.unisonplatform.com [192.69.235.69])
  27.     by srv8.victim1.com with for <user0@victim1.com>; Mon, 14 Jan 2019 08:16:20 +0200
  28. Received: from [31.162.224.202] (port=50237 helo=COMPUTER)
  29.     by spurs.unisonplatform.com (envelope-from <gregg@blumoocreative.com>)
  30.     for user0@victim1.com; Sun, 13 Jan 2019 23:22:22 -0700
  31. From: Воронов <gregg@blumoocreative.com>
  32. Reply-To: Воронов <gregg@blumoocreative.com>
  33. To: user0@victim1.com
  34. Subject: подробности заказа
  35.  
  36. files
  37. --------------
  38. SHA-256 ee8ad1d13476b7406add4cb6af4ab70a3d25462af54beea63adeffe215240dad
  39. File name   info.zip        [Zip archive data, at least v2.0 to extract]
  40. File size   3.2 KB
  41.  
  42. SHA-256 06345fe56078d53476c466446a3b54362ac491c2455bc5acb96fa85e6a63fa9f
  43. File name   info.zip        [Zip archive data, at least v2.0 to extract]
  44. File size   3.09 KB
  45.  
  46. SHA-256 fa5b53248612efb5c1f7a5a143bfccefc96fafd18ebfd7cd49b3ace0774abc8b
  47. File name   Информация.js     [ASCII text, with CRLF]
  48. File size   6.71 KB
  49.  
  50. SHA-256 d832010182a986629db10bf429f85fe659265360964bee1cbec2947cfc597b00
  51. File name   ssj.jpg         [PE32 executable (GUI) Intel 80386, for MS Windows]
  52. File size   1.02 MB
  53.  
  54. 2nd_pl_site (15/01/19)
  55. SHA-256 35809b55e77a750ff6d07100d5de321e513e3f33feb200d3b4323aab235f7fdd
  56. File name   ssj.jpg         [PE32 executable (GUI) Intel 80386, for MS Windows]
  57. File size   1.02 MB
  58.  
  59. activity
  60. **************
  61.  
  62. pl_src:     cloudtech24{.} site/ssj.jpg
  63.             s1.condotelhalongbay{.} xyz/wp-includes/ID3/ssj.jpg
  64.  
  65. .crypted000007
  66.  
  67. pilotpilot088@gmail.com
  68.  
  69. netwrk
  70. --------------
  71. http
  72. 207.148.118.31      cloudtech24{.} site GET /ssj.jpg HTTP/1.1   Mozilla/4.0
  73.  
  74. ssl
  75. 86.59.21.38         wxosfnbnnyqjd3n2fc{.} com
  76. 193.23.244.244      epgkjtk3nvwy5f4sg{.} com
  77.  
  78. comp
  79. --------------
  80. wscript.exe     3688    207.148.118.31  80      ESTABLISHED
  81. radA620B.tmp    3960    127.0.0.1       51275   ESTABLISHED
  82. radA620B.tmp    3960    127.0.0.1       51274   ESTABLISHED
  83. radA620B.tmp    3960    86.59.21.38     443     ESTABLISHED
  84. radA620B.tmp    3960    76.73.17.194    9090    SYN_SENT
  85.  
  86. proc
  87. --------------
  88. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация.js"
  89. "C:\Windows\System32\cmd.exe" /c C:\tmp\radA620B.tmp
  90. C:\tmp\radA620B.tmp
  91. C:\Windows\system32\vssadmin.exe List Shadows
  92. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  93.  
  94. persist
  95. --------------
  96. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              09.01.2019 10:22   
  97. Client Server Runtime Subsystem        
  98. c:\programdata\windows\csrss.exe    14.01.2019 5:04
  99.  
  100. drop
  101. --------------
  102. C:\tmp\radA620B.tmp
  103. C:\tmp\6893A5D897\cached-certs
  104. C:\tmp\6893A5D897\cached-microdesc-consensus
  105. C:\tmp\6893A5D897\lock
  106. C:\tmp\6893A5D897\state
  107. C:\ProgramData\Windows\csrss.exe
  108. C:\ProgramData\System32\xfs
  109.  
  110. # # #
  111. https://www.virustotal.com/#/file/ee8ad1d13476b7406add4cb6af4ab70a3d25462af54beea63adeffe215240dad/details
  112. https://www.virustotal.com/#/file/06345fe56078d53476c466446a3b54362ac491c2455bc5acb96fa85e6a63fa9f/details
  113. https://www.virustotal.com/#/file/fa5b53248612efb5c1f7a5a143bfccefc96fafd18ebfd7cd49b3ace0774abc8b/details
  114. https://www.virustotal.com/#/file/d832010182a986629db10bf429f85fe659265360964bee1cbec2947cfc597b00/details
  115. https://analyze.intezer.com/#/analyses/36f8d3b4-6370-4677-b2f6-6336fb2ffbab
  116. https://www.virustotal.com/#/file/35809b55e77a750ff6d07100d5de321e513e3f33feb200d3b4323aab235f7fdd/details
  117. https://analyze.intezer.com/#/analyses/021e3df9-28d0-4758-abee-d428e3fcb2e9
  118.  
  119. VR
  120.  
  121. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top