General

  • Target

    Goods.js

  • Size

    25KB

  • Sample

    221027-gj57msbaf2

  • MD5

    f1adae8851371ac2265761f593c99b7f

  • SHA1

    fd0258eba70d536c198650fbe24ff9c01d5c472a

  • SHA256

    a4aa874fca6b92a1230f369b0b6669bf002b6c57b46266c0f4c7b6e0c195bcbb

  • SHA512

    d6d375257553fe57fe9785ff243d7a188dba63a687422d189ba5ce2c6aceab3b89d206566ba9a5afc77729d0d57c043cfc1bf69a9a44609d6197542f090c372a

  • SSDEEP

    384:wPUtaScSEbyO+0Wrr6k5AFv0KoYDBRmGgp1i394eeS3:QC7EbGruFveYDBRmGguN4e13

Malware Config

Extracted

Family

wshrat

C2

http://212.193.30.230:7780

Targets

    • Target

      Goods.js

    • Size

      25KB

    • MD5

      f1adae8851371ac2265761f593c99b7f

    • SHA1

      fd0258eba70d536c198650fbe24ff9c01d5c472a

    • SHA256

      a4aa874fca6b92a1230f369b0b6669bf002b6c57b46266c0f4c7b6e0c195bcbb

    • SHA512

      d6d375257553fe57fe9785ff243d7a188dba63a687422d189ba5ce2c6aceab3b89d206566ba9a5afc77729d0d57c043cfc1bf69a9a44609d6197542f090c372a

    • SSDEEP

      384:wPUtaScSEbyO+0Wrr6k5AFv0KoYDBRmGgp1i394eeS3:QC7EbGruFveYDBRmGguN4e13

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks