General

  • Target

    ShippingDocuments.js

  • Size

    267KB

  • Sample

    221025-cxevdsbchj

  • MD5

    c838b4169a9d43b68389d2e2cce9abd4

  • SHA1

    e11a9a85e759d3bba04299b2c6cda15f8b80ba71

  • SHA256

    cdccee46e5ffe96721e95934c1613ed849e2abbdbab661de99afdd08e2d7dc1f

  • SHA512

    f7cf7ff1b67724fe02416a5f958021136b522819ee3d12e314de32d303d0a5b88369d734451a141a840cec24f83149641ae127d96c42d5786ffa2daf52d3dbb6

  • SSDEEP

    3072:v7tZTJ/YEPeu67u+Q5QFWwjQCJNsfkAiZNnqWznF6YHatndrvgtHzxxX6++JY82/:v/DwjQCvKWznUYK4FzxxKTJMdG8y2EO

Malware Config

Extracted

Family

wshrat

C2

http://huntebez.xyz:1702

Targets

    • Target

      ShippingDocuments.js

    • Size

      267KB

    • MD5

      c838b4169a9d43b68389d2e2cce9abd4

    • SHA1

      e11a9a85e759d3bba04299b2c6cda15f8b80ba71

    • SHA256

      cdccee46e5ffe96721e95934c1613ed849e2abbdbab661de99afdd08e2d7dc1f

    • SHA512

      f7cf7ff1b67724fe02416a5f958021136b522819ee3d12e314de32d303d0a5b88369d734451a141a840cec24f83149641ae127d96c42d5786ffa2daf52d3dbb6

    • SSDEEP

      3072:v7tZTJ/YEPeu67u+Q5QFWwjQCJNsfkAiZNnqWznF6YHatndrvgtHzxxX6++JY82/:v/DwjQCvKWznUYK4FzxxKTJMdG8y2EO

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks