General

  • Target

    CamScanner 24-07-2021 10.36.pdf.js

  • Size

    412KB

  • Sample

    210724-jdee8w19l6

  • MD5

    d1a0a6dea503e07048ae4fcaf7695a5b

  • SHA1

    e11873e54ace729c6cac3cf0d8d09b17a2a0515d

  • SHA256

    52b7322206663f810e900cbbf2f38a6b39303619c34ff26ff4cd6b7914523147

  • SHA512

    2647f49d050cfa72594391b904bfd670212b4b4c4661b8f772e33d01021c63ef93fee7c03ed4422ff03fee4c9013bb3791a770544dba9412759b766406f3f0bf

Malware Config

Targets

    • Target

      CamScanner 24-07-2021 10.36.pdf.js

    • Size

      412KB

    • MD5

      d1a0a6dea503e07048ae4fcaf7695a5b

    • SHA1

      e11873e54ace729c6cac3cf0d8d09b17a2a0515d

    • SHA256

      52b7322206663f810e900cbbf2f38a6b39303619c34ff26ff4cd6b7914523147

    • SHA512

      2647f49d050cfa72594391b904bfd670212b4b4c4661b8f772e33d01021c63ef93fee7c03ed4422ff03fee4c9013bb3791a770544dba9412759b766406f3f0bf

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks