General

  • Target

    shipment documents.js

  • Size

    261KB

  • Sample

    221109-mqwjnsgag8

  • MD5

    3e1912c2b0aeb17efa1a1a264b95990d

  • SHA1

    7d2b1111ea0d56dd41dbb83d1685be38e8269dd0

  • SHA256

    749f06ddf9408597828f68ac69a74627d8fe31b23c0e25f5dbfb92301c0d2898

  • SHA512

    f4352a6aafd9edfeb155a4d5b31bfe08383751e5c5cadee1a3f54c6ba1cf2ec765a108a260470204c532bcc8534ebc020b8d5c1f77e0b84c548545c6236daad6

  • SSDEEP

    6144:GQdLQjTvan7FriEnXqdp1iBIj57JWokqNfiOgH8wEkmW:NdqTyJX87iqXs2hY

Malware Config

Extracted

Family

wshrat

C2

http://egodds.longmusic.com:2048

Targets

    • Target

      shipment documents.js

    • Size

      261KB

    • MD5

      3e1912c2b0aeb17efa1a1a264b95990d

    • SHA1

      7d2b1111ea0d56dd41dbb83d1685be38e8269dd0

    • SHA256

      749f06ddf9408597828f68ac69a74627d8fe31b23c0e25f5dbfb92301c0d2898

    • SHA512

      f4352a6aafd9edfeb155a4d5b31bfe08383751e5c5cadee1a3f54c6ba1cf2ec765a108a260470204c532bcc8534ebc020b8d5c1f77e0b84c548545c6236daad6

    • SSDEEP

      6144:GQdLQjTvan7FriEnXqdp1iBIj57JWokqNfiOgH8wEkmW:NdqTyJX87iqXs2hY

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks