General

  • Target

    wynlog (1).js

  • Size

    188KB

  • Sample

    221027-kv1m3sbffk

  • MD5

    746654691cf5871e668bca54d52e7473

  • SHA1

    f4d2aedb12837e06a9a973bb1633025adb4fa3ab

  • SHA256

    bec14ec823d83fdada93ec1198c296d1b5e28b0faba61656366551cc1c24526a

  • SHA512

    b1c38a609d4eaefdd2d82ce75b97b64a87497fd3f11a19495d9b3e37b41585e75b3019f553e40762c8bba05071be741a9ee25f4430625ae963a9e358e35d1fed

  • SSDEEP

    3072:BGLYwJ2ZqyeZ8ibIpklgVDSxGfmuZcbURCvQ0bam8vEzKeGK/6iM7:BGLYw4ZPsAklgF2GuuZTRC4MSveGKJM7

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Targets

    • Target

      wynlog (1).js

    • Size

      188KB

    • MD5

      746654691cf5871e668bca54d52e7473

    • SHA1

      f4d2aedb12837e06a9a973bb1633025adb4fa3ab

    • SHA256

      bec14ec823d83fdada93ec1198c296d1b5e28b0faba61656366551cc1c24526a

    • SHA512

      b1c38a609d4eaefdd2d82ce75b97b64a87497fd3f11a19495d9b3e37b41585e75b3019f553e40762c8bba05071be741a9ee25f4430625ae963a9e358e35d1fed

    • SSDEEP

      3072:BGLYwJ2ZqyeZ8ibIpklgVDSxGfmuZcbURCvQ0bam8vEzKeGK/6iM7:BGLYw4ZPsAklgF2GuuZTRC4MSveGKJM7

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks