Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    wyrecover (1).js

  • Size

    188KB

  • Sample

    221104-vsk5qabahn

  • MD5

    fffb69df585df4ed900ba69aef15c41e

  • SHA1

    2e8e68b4616e28fa4d829cfe1a47e2a2006c9fb4

  • SHA256

    ad718edd0bead205d5c8e0dc326a5c89ca3ba177914e6d16fe03a09c5f9984f3

  • SHA512

    0494c53e766375fe4b3f56725e65743cf92835a38bf60d3095ace26b9a947dd840282de2f93d3b333dcaf3ba6fd287cf3a7219b722e8f4f92c5c8210b86b97c4

  • SSDEEP

    3072:GZebURCmAvEzHveGK/63H5pjOjOfQ0bamXbIpklgVDSxGfmuZJR:SRChmveGKyH5pjOjOoMhAklgF2GuuZ/

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Targets

    • Target

      wyrecover (1).js

    • Size

      188KB

    • MD5

      fffb69df585df4ed900ba69aef15c41e

    • SHA1

      2e8e68b4616e28fa4d829cfe1a47e2a2006c9fb4

    • SHA256

      ad718edd0bead205d5c8e0dc326a5c89ca3ba177914e6d16fe03a09c5f9984f3

    • SHA512

      0494c53e766375fe4b3f56725e65743cf92835a38bf60d3095ace26b9a947dd840282de2f93d3b333dcaf3ba6fd287cf3a7219b722e8f4f92c5c8210b86b97c4

    • SSDEEP

      3072:GZebURCmAvEzHveGK/63H5pjOjOfQ0bamXbIpklgVDSxGfmuZJR:SRChmveGKyH5pjOjOoMhAklgF2GuuZ/

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks