General

  • Target

    launcher service.js

  • Size

    884KB

  • Sample

    211210-c1v1sagdhp

  • MD5

    8dce2fac1cdb56ef997f0c4f8065f82e

  • SHA1

    da01f70d7035a8e8421d2296c7b481dc6dcb2b09

  • SHA256

    6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411

  • SHA512

    cb622198fee5d9810e6762f82c78da1a3868b1b67061d788b1af124f6f39456de73b7ba90452098983ff32762f28d471b1c546d228a393cf7364e1babfaac6a3

Malware Config

Extracted

Family

wshrat

C2

http://ben738sj11xz.mywire.org:5478

Targets

    • Target

      launcher service.js

    • Size

      884KB

    • MD5

      8dce2fac1cdb56ef997f0c4f8065f82e

    • SHA1

      da01f70d7035a8e8421d2296c7b481dc6dcb2b09

    • SHA256

      6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411

    • SHA512

      cb622198fee5d9810e6762f82c78da1a3868b1b67061d788b1af124f6f39456de73b7ba90452098983ff32762f28d471b1c546d228a393cf7364e1babfaac6a3

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks