General

  • Target

    AWB NO - 4806763435.zip

  • Size

    170KB

  • Sample

    221123-hvez9shh8x

  • MD5

    4618be89b14601f060a21e46fe739b6b

  • SHA1

    fb44e490f3669c78dd6346f57934e710d6147cb5

  • SHA256

    7ebd49f02df0409e5bdc81f93d4ab6af67c2c5690ef4766af6cda8f7e3d4e837

  • SHA512

    fa703cd12b5dc74f5f4a4de1f55029beb321f1f0f305d886e6c35af6646686ba279fc6d9a8befe8f20cd5952f8dd93f4c4bf5c8eadefa166757f08f19e41ebac

  • SSDEEP

    3072:BySTlmLJjTaphh0QRafVBMDByUGGQPH7BLS1mPrPLIBNdTb3x:jpuTafSQR8DMD0JPbBLamPrPLIXdJ

Malware Config

Extracted

Family

wshrat

C2

http://goodies.dynamic-dns.net:9202

Targets

    • Target

      AWB NO - 4806763435.js

    • Size

      304KB

    • MD5

      0cdef7f1449aca5a0c1439844d33a593

    • SHA1

      9ef5f183e1253b349549ed704e35deba2b439bde

    • SHA256

      7367743f876ffc7a318d768e51dd4b9323b8e7561b67827eca9ab0a2c1e670e4

    • SHA512

      d9547601d7b6d4b771cbb74dbcd0d65db1dea7f6766a47b7567b31e8102172d268eee02108c47d526ac3b7f2a6a8015e757f86d355d17ff7fd9b642e95eaf3b1

    • SSDEEP

      6144:pmnZ8AVCSuhEg9s44GY5Yi3CM2OMZ0PQ8xa6nlF20xuf:8hb/z5j3CMXVDKa+

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks