General

  • Target

    879-5160.rar

  • Size

    280KB

  • Sample

    221109-sp6wxahhc4

  • MD5

    5bc248f2c70e8a473d5a5e33ff90579d

  • SHA1

    c0216258b7f720a0ef6303046172447e8aa51349

  • SHA256

    2bcd0ec21bad7f6955cad32f1f5403f07553796d4489feb1a3f3338549e161f0

  • SHA512

    72b1d1e0dd8070edbb69a2a35de79e7dc9b69dc4a4996cf5fe29343a3b2737b389e0da3e0bb3ae9eaedb5987d02ab27a742041e45447ba887db4c238b760b793

  • SSDEEP

    6144:up5S2I8K9q2T2fhZAdxkqyLI23XaXI0cKC87x4WTR6YffngRx7RjjOJti3a7I1wb:YK9Kfhq85D6MKC0TXIRxVN3aaC7

Malware Config

Extracted

Family

wshrat

C2

http://egodds.longmusic.com:2048

Targets

    • Target

      879-5160.js

    • Size

      438KB

    • MD5

      90764ebb7698c03e99414abebcb5746c

    • SHA1

      047fae3fc68e5a3d540606e23a9e0c776caed390

    • SHA256

      74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68

    • SHA512

      e88154b0e2db0ea886e0ea1de3ff0053dbff387f2b1b941f5ceedaa73d3c72d26dbc6e8c9b97e6f7d79f1f624afad65ff4ec3eafe2f57db831f10af2ecbfdcdc

    • SSDEEP

      6144:uG40ClC7RcWn8EZ5K9wCmZ7FMI5L2sDlPt8rXC8kjJ1egfVX8IPxxmVfhiUJeeI+:uG4BiF5K9YV2mtw3gdXZXEIvYcXM

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks