General

  • Target

    wynlog (1).js

  • Size

    189KB

  • Sample

    221028-lfxhjsffdn

  • MD5

    bc2c4ce0e4cd1ae0b5b0af84b03d0a66

  • SHA1

    8d5fc4d413918b3750d1ed16c0ccc4d105a3c891

  • SHA256

    726d793d69e118eedfdb88458f8dbd241dfb931ce3819058ee53527b8ee32b15

  • SHA512

    55d8485603a7622ef810031c54baeabf6c43152209f0edc1543060082851e54c7b9776190b3d4fd1b4172941bebbfbea641b30222bc96c997571f622b938d7e5

  • SSDEEP

    3072:6E8ez9oru2wvhQ0bamBbIpklgVDSxGfmuZSZ7tvEzpVeGK/65TbURCF:61c9yMrAklgF2GuuZWpKeGKfRCF

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Targets

    • Target

      wynlog (1).js

    • Size

      189KB

    • MD5

      bc2c4ce0e4cd1ae0b5b0af84b03d0a66

    • SHA1

      8d5fc4d413918b3750d1ed16c0ccc4d105a3c891

    • SHA256

      726d793d69e118eedfdb88458f8dbd241dfb931ce3819058ee53527b8ee32b15

    • SHA512

      55d8485603a7622ef810031c54baeabf6c43152209f0edc1543060082851e54c7b9776190b3d4fd1b4172941bebbfbea641b30222bc96c997571f622b938d7e5

    • SSDEEP

      3072:6E8ez9oru2wvhQ0bamBbIpklgVDSxGfmuZSZ7tvEzpVeGK/65TbURCF:61c9yMrAklgF2GuuZWpKeGKfRCF

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks