General

  • Target

    wynmove (1).js

  • Size

    25KB

  • Sample

    221027-kv1m3sbfb8

  • MD5

    dc29c0a43eee53c7d2ac1467c6bacc95

  • SHA1

    d7ddf05456e62c9f67fea236f4fc095693fe6bb2

  • SHA256

    7c99d386a0f2df0ef6bc6adc32207bec986ec5784e102081441c2299487af118

  • SHA512

    a4b518116b0b8cc5efa369423ec7a1cc6948e40f1cc2e0d184189d6ed4f581aca2b4ef9d3bbc7f08da614a087a377a11fa3f11759dbb561da6bfc9ef9fc827f7

  • SSDEEP

    384:2LZdyzGc+R5+MM+PqsZHdGD9wC19p4FrIFn8g2KgMOJNpaxv5psFxe:2DFhKMzqaelp4FrIF8gG0sPe

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      wynmove (1).js

    • Size

      25KB

    • MD5

      dc29c0a43eee53c7d2ac1467c6bacc95

    • SHA1

      d7ddf05456e62c9f67fea236f4fc095693fe6bb2

    • SHA256

      7c99d386a0f2df0ef6bc6adc32207bec986ec5784e102081441c2299487af118

    • SHA512

      a4b518116b0b8cc5efa369423ec7a1cc6948e40f1cc2e0d184189d6ed4f581aca2b4ef9d3bbc7f08da614a087a377a11fa3f11759dbb561da6bfc9ef9fc827f7

    • SSDEEP

      384:2LZdyzGc+R5+MM+PqsZHdGD9wC19p4FrIFn8g2KgMOJNpaxv5psFxe:2DFhKMzqaelp4FrIF8gG0sPe

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks