General

  • Target

    PShipDocu.js

  • Size

    267KB

  • Sample

    221026-hqdawafabq

  • MD5

    6f1e4abdfd15d34fd183f46bc7264801

  • SHA1

    cd681ed5d352c7c29aaf3e5d8bdd96478d35adab

  • SHA256

    3ecbdd867e103f88ff2ea4395c9888f69858e66c6f0b7fd43968f12524ec1987

  • SHA512

    bf11cd65a79f4004eb3670cb7f21c30887e2ee904cde2ad929fa5561726450fb4d68e1d9a859322d9fd54c7c7fe011f31fa85cbdf2713212008c5d50bcbd6ba3

  • SSDEEP

    6144:v457woVOZpfDBktAT2j7QF7Q43PdtTkTlMkbe/hMEN:v3dweTe7QF9j4dqyEN

Malware Config

Extracted

Family

wshrat

C2

http://durband.duckdns.org:1705

Targets

    • Target

      PShipDocu.js

    • Size

      267KB

    • MD5

      6f1e4abdfd15d34fd183f46bc7264801

    • SHA1

      cd681ed5d352c7c29aaf3e5d8bdd96478d35adab

    • SHA256

      3ecbdd867e103f88ff2ea4395c9888f69858e66c6f0b7fd43968f12524ec1987

    • SHA512

      bf11cd65a79f4004eb3670cb7f21c30887e2ee904cde2ad929fa5561726450fb4d68e1d9a859322d9fd54c7c7fe011f31fa85cbdf2713212008c5d50bcbd6ba3

    • SSDEEP

      6144:v457woVOZpfDBktAT2j7QF7Q43PdtTkTlMkbe/hMEN:v3dweTe7QF9j4dqyEN

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks