Overview

overview

10

Static

static

10

receipt.js

windows7_x64

10

receipt.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    receipt.js

  • Size

    210KB

  • Sample

    210421-14xwbm9az2

  • MD5

    0d18f9a0a1605a34247be8918dd3d360

  • SHA1

    1046c9c221468b1a8725d9e958ddf20b0ec3a6c1

  • SHA256

    3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de

  • SHA512

    cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011

Score
10/10
wshratpersistencetrojan

Malware Config

Targets

    • Target

      receipt.js

    • Size

      210KB

    • MD5

      0d18f9a0a1605a34247be8918dd3d360

    • SHA1

      1046c9c221468b1a8725d9e958ddf20b0ec3a6c1

    • SHA256

      3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de

    • SHA512

      cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks