General

  • Target

    PO-NOVERMBER-877899PDF.js

  • Size

    1.9MB

  • Sample

    211102-jm5rdscac8

  • MD5

    e2be463b7572adf0a980f27f3daafcf3

  • SHA1

    bee36928051a60bf2a1a0b9b02280d16aee6967b

  • SHA256

    ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2

  • SHA512

    14753796a8c6eb72446134416e096fb4a924efc47aea0aa038d7b1d666c8eccd3e0ff41763332c4a2e930f8f3089344313e414ff73217505232b0e8a6da59909

Malware Config

Extracted

Family

wshrat

C2

http://concideritdone.duckdns.org:5001

Targets

    • Target

      PO-NOVERMBER-877899PDF.js

    • Size

      1.9MB

    • MD5

      e2be463b7572adf0a980f27f3daafcf3

    • SHA1

      bee36928051a60bf2a1a0b9b02280d16aee6967b

    • SHA256

      ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2

    • SHA512

      14753796a8c6eb72446134416e096fb4a924efc47aea0aa038d7b1d666c8eccd3e0ff41763332c4a2e930f8f3089344313e414ff73217505232b0e8a6da59909

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks