General

  • Target

    facturas vencidas.js

  • Size

    909KB

  • Sample

    211026-y5bzcsace3

  • MD5

    4002af6477f7e690003fcaa27f1711b5

  • SHA1

    62bf21de613699c3e43d8db585ea42d34e492dfc

  • SHA256

    c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77

  • SHA512

    f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430

Malware Config

Extracted

Family

wshrat

C2

http://titopeo1.duckdns.org:9781

Targets

    • Target

      facturas vencidas.js

    • Size

      909KB

    • MD5

      4002af6477f7e690003fcaa27f1711b5

    • SHA1

      62bf21de613699c3e43d8db585ea42d34e492dfc

    • SHA256

      c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77

    • SHA512

      f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks