General

  • Target

    Scan0101.js

  • Size

    1005KB

  • Sample

    211108-jft2babdh8

  • MD5

    20688e329a4f62bb845237749bb94071

  • SHA1

    b339e4776b232be49f461ca931fc15a93c124590

  • SHA256

    6e275579109009e0df24db2a88abf3fffe7a4ce35e4b99450cb2ba3b622a4eef

  • SHA512

    0ec7fc90a49db982c42f111c19c68615993450e8816f73ef4ae0f9785af0f4d4fdbeedd411c55011c9060928e1a6559d450e0a1a6bfa66aad22f18aa88ca0845

Malware Config

Extracted

Family

wshrat

C2

http://140.228.29.190:7121

Targets

    • Target

      Scan0101.js

    • Size

      1005KB

    • MD5

      20688e329a4f62bb845237749bb94071

    • SHA1

      b339e4776b232be49f461ca931fc15a93c124590

    • SHA256

      6e275579109009e0df24db2a88abf3fffe7a4ce35e4b99450cb2ba3b622a4eef

    • SHA512

      0ec7fc90a49db982c42f111c19c68615993450e8816f73ef4ae0f9785af0f4d4fdbeedd411c55011c9060928e1a6559d450e0a1a6bfa66aad22f18aa88ca0845

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks