Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
- https://pastebin.com/yM1wATJ9
- previous contact:
- 28/12/18 https://pastebin.com/E3isAsmV
- 26/12/18 https://pastebin.com/kx8Y0XzR
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- 12/11/18 https://pastebin.com/1y8MpRZq
- 14/09/18 https://pastebin.com/q6L376A8
- 14/09/18 https://pastebin.com/L8MvAccK
- 12/09/18 https://pastebin.com/LNHmd7Un
- FAQ:
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- https://secrary.com/ReversingMalware/UnpackingShade/
- attack_vector
- --------------
- email attach .ZIP > 2nd .ZIP > JS > WSH > GET > %temp%\*.tmp
- email_headers
- --------------
- Return-Path: <gregg@blumoocreative.com>
- Received: from spurs.unisonplatform.com (mail69.spurs.unisonplatform.com [192.69.235.69])
- by srv8.victim1.com with for <user0@victim1.com>; Mon, 14 Jan 2019 08:16:20 +0200
- Received: from [31.162.224.202] (port=50237 helo=COMPUTER)
- by spurs.unisonplatform.com (envelope-from <gregg@blumoocreative.com>)
- for user0@victim1.com; Sun, 13 Jan 2019 23:22:22 -0700
- From: Воронов <gregg@blumoocreative.com>
- Reply-To: Воронов <gregg@blumoocreative.com>
- To: user0@victim1.com
- Subject: подробности заказа
- files
- --------------
- SHA-256 ee8ad1d13476b7406add4cb6af4ab70a3d25462af54beea63adeffe215240dad
- File name info.zip [Zip archive data, at least v2.0 to extract]
- File size 3.2 KB
- SHA-256 06345fe56078d53476c466446a3b54362ac491c2455bc5acb96fa85e6a63fa9f
- File name info.zip [Zip archive data, at least v2.0 to extract]
- File size 3.09 KB
- SHA-256 fa5b53248612efb5c1f7a5a143bfccefc96fafd18ebfd7cd49b3ace0774abc8b
- File name Информация.js [ASCII text, with CRLF]
- File size 6.71 KB
- SHA-256 d832010182a986629db10bf429f85fe659265360964bee1cbec2947cfc597b00
- File name ssj.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.02 MB
- 2nd_pl_site (15/01/19)
- SHA-256 35809b55e77a750ff6d07100d5de321e513e3f33feb200d3b4323aab235f7fdd
- File name ssj.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.02 MB
- activity
- **************
- pl_src: cloudtech24{.} site/ssj.jpg
- s1.condotelhalongbay{.} xyz/wp-includes/ID3/ssj.jpg
- .crypted000007
- pilotpilot088@gmail.com
- netwrk
- --------------
- http
- 207.148.118.31 cloudtech24{.} site GET /ssj.jpg HTTP/1.1 Mozilla/4.0
- ssl
- 86.59.21.38 wxosfnbnnyqjd3n2fc{.} com
- 193.23.244.244 epgkjtk3nvwy5f4sg{.} com
- comp
- --------------
- wscript.exe 3688 207.148.118.31 80 ESTABLISHED
- radA620B.tmp 3960 127.0.0.1 51275 ESTABLISHED
- radA620B.tmp 3960 127.0.0.1 51274 ESTABLISHED
- radA620B.tmp 3960 86.59.21.38 443 ESTABLISHED
- radA620B.tmp 3960 76.73.17.194 9090 SYN_SENT
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация.js"
- "C:\Windows\System32\cmd.exe" /c C:\tmp\radA620B.tmp
- C:\tmp\radA620B.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.01.2019 10:22
- Client Server Runtime Subsystem
- c:\programdata\windows\csrss.exe 14.01.2019 5:04
- drop
- --------------
- C:\tmp\radA620B.tmp
- C:\tmp\6893A5D897\cached-certs
- C:\tmp\6893A5D897\cached-microdesc-consensus
- C:\tmp\6893A5D897\lock
- C:\tmp\6893A5D897\state
- C:\ProgramData\Windows\csrss.exe
- C:\ProgramData\System32\xfs
- # # #
- https://www.virustotal.com/#/file/ee8ad1d13476b7406add4cb6af4ab70a3d25462af54beea63adeffe215240dad/details
- https://www.virustotal.com/#/file/06345fe56078d53476c466446a3b54362ac491c2455bc5acb96fa85e6a63fa9f/details
- https://www.virustotal.com/#/file/fa5b53248612efb5c1f7a5a143bfccefc96fafd18ebfd7cd49b3ace0774abc8b/details
- https://www.virustotal.com/#/file/d832010182a986629db10bf429f85fe659265360964bee1cbec2947cfc597b00/details
- https://analyze.intezer.com/#/analyses/36f8d3b4-6370-4677-b2f6-6336fb2ffbab
- https://www.virustotal.com/#/file/35809b55e77a750ff6d07100d5de321e513e3f33feb200d3b4323aab235f7fdd/details
- https://analyze.intezer.com/#/analyses/021e3df9-28d0-4758-abee-d428e3fcb2e9
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement