General

  • Target

    Quotation Specification.js

  • Size

    257KB

  • Sample

    221111-hmg5nabhhr

  • MD5

    e518b794449fb8aefe303d42733ecfb5

  • SHA1

    0fe32c2da493796eb96efc097e77e93235652ee1

  • SHA256

    ffccd7f8f935bdf8fdd19010b90a66d381f78a11372d87ea2ea9c62f02977bb4

  • SHA512

    c7154e0a529dfbce737b471e4a3c31dddfa8d91e5dc90da5bf85d8f4c029b6ba2872971283f73365a2ca9eab0e4e1ef97684b979a310d0064c0e1975804c507b

  • SSDEEP

    6144:urVEkpKaD68mn+e5ssyguHaQxCKcw6ZI3+8xMSblw8TSP:urBxDDH/xCKl7NOI8

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Quotation Specification.js

    • Size

      257KB

    • MD5

      e518b794449fb8aefe303d42733ecfb5

    • SHA1

      0fe32c2da493796eb96efc097e77e93235652ee1

    • SHA256

      ffccd7f8f935bdf8fdd19010b90a66d381f78a11372d87ea2ea9c62f02977bb4

    • SHA512

      c7154e0a529dfbce737b471e4a3c31dddfa8d91e5dc90da5bf85d8f4c029b6ba2872971283f73365a2ca9eab0e4e1ef97684b979a310d0064c0e1975804c507b

    • SSDEEP

      6144:urVEkpKaD68mn+e5ssyguHaQxCKcw6ZI3+8xMSblw8TSP:urBxDDH/xCKl7NOI8

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks