General

  • Target

    879-5160.js

  • Size

    438KB

  • Sample

    221109-r35qbsbcek

  • MD5

    90764ebb7698c03e99414abebcb5746c

  • SHA1

    047fae3fc68e5a3d540606e23a9e0c776caed390

  • SHA256

    74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68

  • SHA512

    e88154b0e2db0ea886e0ea1de3ff0053dbff387f2b1b941f5ceedaa73d3c72d26dbc6e8c9b97e6f7d79f1f624afad65ff4ec3eafe2f57db831f10af2ecbfdcdc

  • SSDEEP

    6144:uG40ClC7RcWn8EZ5K9wCmZ7FMI5L2sDlPt8rXC8kjJ1egfVX8IPxxmVfhiUJeeI+:uG4BiF5K9YV2mtw3gdXZXEIvYcXM

Malware Config

Extracted

Family

wshrat

C2

http://egodds.longmusic.com:2048

Targets

    • Target

      879-5160.js

    • Size

      438KB

    • MD5

      90764ebb7698c03e99414abebcb5746c

    • SHA1

      047fae3fc68e5a3d540606e23a9e0c776caed390

    • SHA256

      74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68

    • SHA512

      e88154b0e2db0ea886e0ea1de3ff0053dbff387f2b1b941f5ceedaa73d3c72d26dbc6e8c9b97e6f7d79f1f624afad65ff4ec3eafe2f57db831f10af2ecbfdcdc

    • SSDEEP

      6144:uG40ClC7RcWn8EZ5K9wCmZ7FMI5L2sDlPt8rXC8kjJ1egfVX8IPxxmVfhiUJeeI+:uG4BiF5K9YV2mtw3gdXZXEIvYcXM

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks