General

  • Target

    DRAFTCOPY-BILL-PDF309874847.js

  • Size

    1KB

  • Sample

    211021-w52hxaafb7

  • MD5

    8aa7029773c57a40a220e6a6b5e11f32

  • SHA1

    10cee1e3ab432641e3edf8f477cf76a527200cf3

  • SHA256

    65a5df237d47b30ebe2f5b01c7e9e99e29d9d6ee14c2c6d718a538e4013c0a55

  • SHA512

    e66ca934f1b9a3e0913f765845c435042e4b3987a31f8bf08a2742ce8d40dabc26f5b8d933e0f598d940bcea4f1c33fb22a1d106e830f457c4453e58cb110717

Malware Config

Extracted

Family

wshrat

C2

http://concideritdone.duckdns.org:5001

Targets

    • Target

      DRAFTCOPY-BILL-PDF309874847.js

    • Size

      1KB

    • MD5

      8aa7029773c57a40a220e6a6b5e11f32

    • SHA1

      10cee1e3ab432641e3edf8f477cf76a527200cf3

    • SHA256

      65a5df237d47b30ebe2f5b01c7e9e99e29d9d6ee14c2c6d718a538e4013c0a55

    • SHA512

      e66ca934f1b9a3e0913f765845c435042e4b3987a31f8bf08a2742ce8d40dabc26f5b8d933e0f598d940bcea4f1c33fb22a1d106e830f457c4453e58cb110717

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks