InstallSlimPDFReader.js

General
Target

InstallSlimPDFReader.js

Size

552KB

Sample

201015-maq58vrepn

Score
10 /10
MD5

3e3c515ce53a1aedb1fe7e8689f2cd39

SHA1

17b761826748ac4c63232f227d529b59323864d0

SHA256

ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

SHA512

f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

Malware Config
Targets
Target

InstallSlimPDFReader.js

MD5

3e3c515ce53a1aedb1fe7e8689f2cd39

Filesize

552KB

Score
10 /10
SHA1

17b761826748ac4c63232f227d529b59323864d0

SHA256

ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

SHA512

f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

Tags

Signatures

  • WSHRAT

    Description

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    Tags

  • Blacklisted process makes network request

  • Executes dropped EXE

  • Drops startup file

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10