Overview

overview

10

Static

static

f94bfce538...5d1.js

windows7_x64

10

f94bfce538...5d1.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f94bfce5384f10201df977d67ea6c5d1.js

  • Size

    179KB

  • Sample

    210316-144qqm6zqa

  • MD5

    f94bfce5384f10201df977d67ea6c5d1

  • SHA1

    fb5f56e7e554d466b6ca7264c2748826daac8cc7

  • SHA256

    ba25eeb1352d5aab2e09eaa942324510ecd964671e7def1e158c3a543534ca1b

  • SHA512

    492e18b7a219734a9564bd330f5350582bd3c01d72ce0eb491343777d32dec5162c6deaf2c97ee6d6f68e1e2a025182dc20312fc4fe7c1024e0970ab1056ef65

Score
10/10
wshratpersistencetrojan

Malware Config

Targets

    • Target

      f94bfce5384f10201df977d67ea6c5d1.js

    • Size

      179KB

    • MD5

      f94bfce5384f10201df977d67ea6c5d1

    • SHA1

      fb5f56e7e554d466b6ca7264c2748826daac8cc7

    • SHA256

      ba25eeb1352d5aab2e09eaa942324510ecd964671e7def1e158c3a543534ca1b

    • SHA512

      492e18b7a219734a9564bd330f5350582bd3c01d72ce0eb491343777d32dec5162c6deaf2c97ee6d6f68e1e2a025182dc20312fc4fe7c1024e0970ab1056ef65

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks