2018-12-27 - MALSPAM PUSHES SHADE (TROLDESH) RANSOMWARE AND OTHER MALWARE

ASSOCIATED FILES:

NOTES:

 


Shown above:  Flow chart for recent Shade/Troldesh malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

MALSPAM


Shown above:  Recent emails from this malspam.

 


Shown above:  Screenshot from an email on 2018-12-27.

 

EMAIL DATA FROM 7 MALSPAM EXAMPLES:

SENDERS NOTED:

 


Shown above:  Extracting the malicious JS file from the email attachment.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS GENERATED BY JS ATTACHMENTS FOR MALWARE:

 

MALWARE

FILE ATTACHMENTS:

EXTRACTED JS FILES:

MALWARE RETRIEVED FROM INFECTED WINDOWS HOST:

 

OTHER INFO

EMAIL FROM DECRYPTION INSTRUCTIONS:

TOR DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

FILE EXTENSION FOR ALL ENCRYPTED FILES:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Malware found in the user's AppData\Local\Temp folder.

 


Shown above:  Windows registry updates found on the infected Windows host.

 


Shown above:  Traffic generated by the nheqminer associated with this Shade ransomware infection.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.