General

  • Target

    5cc3110cf10e1ebf8cb6090377ea1ef869fc3cd55e7ed6f6f56aa2cd8069b572.js

  • Size

    267KB

  • Sample

    221029-yszjwsdfgp

  • MD5

    1e5ddaf84fe7b09586a903bb3fdfd0a7

  • SHA1

    236c49968ca1ffd2d39e3baed2dfa36817156c58

  • SHA256

    5cc3110cf10e1ebf8cb6090377ea1ef869fc3cd55e7ed6f6f56aa2cd8069b572

  • SHA512

    33c87ba6ad22a468af8f35795a5d7356c95061fa14ce47c8fefcd94f4af22e840566ccc867c8d4d6f1d8e3003fc98dc36cdf4d06fa5391ff5aaa324ae9a8d231

  • SSDEEP

    6144:nD0oZ66CN48NsgcSFW9oq/C4+moZUfs8BySTlA4R6r:nXL7H9j/C4jpH+CE

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Targets

    • Target

      5cc3110cf10e1ebf8cb6090377ea1ef869fc3cd55e7ed6f6f56aa2cd8069b572.js

    • Size

      267KB

    • MD5

      1e5ddaf84fe7b09586a903bb3fdfd0a7

    • SHA1

      236c49968ca1ffd2d39e3baed2dfa36817156c58

    • SHA256

      5cc3110cf10e1ebf8cb6090377ea1ef869fc3cd55e7ed6f6f56aa2cd8069b572

    • SHA512

      33c87ba6ad22a468af8f35795a5d7356c95061fa14ce47c8fefcd94f4af22e840566ccc867c8d4d6f1d8e3003fc98dc36cdf4d06fa5391ff5aaa324ae9a8d231

    • SSDEEP

      6144:nD0oZ66CN48NsgcSFW9oq/C4+moZUfs8BySTlA4R6r:nXL7H9j/C4jpH+CE

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks