Overview

overview

10

Static

static

InstallSli...der.js

windows7_x64

10

InstallSli...der.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    InstallSlimPDFReader.js

  • Size

    552KB

  • Sample

    201015-maq58vrepn

  • MD5

    3e3c515ce53a1aedb1fe7e8689f2cd39

  • SHA1

    17b761826748ac4c63232f227d529b59323864d0

  • SHA256

    ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

  • SHA512

    f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

Score
10/10
wshratpersistencetrojan

Malware Config

Targets

    • Target

      InstallSlimPDFReader.js

    • Size

      552KB

    • MD5

      3e3c515ce53a1aedb1fe7e8689f2cd39

    • SHA1

      17b761826748ac4c63232f227d529b59323864d0

    • SHA256

      ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

    • SHA512

      f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

    Score
    10/10
    persistencetrojanwshrat

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks