Overview

overview

10

Static

static

1

proof of payment.js

windows7-x64

10

proof of payment.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    proof of payment.js

  • Size

    889KB

  • Sample

    230401-h9jl1aaa7y

  • MD5

    efc5acb3aca2cf5fbeb9a84cfeead4ea

  • SHA1

    268e8aac48146555279c8464348f7715f360f81b

  • SHA256

    1df7fbf9fa17d2a0d1842835081786741b976a2a20fde19aabbe4f34af62df07

  • SHA512

    1a3a8d2dee581d6126303f6c11286c354b5d46efc37cac20eaf2f288aa72f5a9f71f71ccabca826fe29a9ce07cce2a87b22435442f3547b4f5841b5fd79c16fa

  • SSDEEP

    6144:GQpGhV3Cbp8Ka7UqqaaRyHIQwkKaq2iuh8Qy04sBGi+oIdzdya6R/EHHKgk/kZjJ:NchO

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Targets

    • Target

      proof of payment.js

    • Size

      889KB

    • MD5

      efc5acb3aca2cf5fbeb9a84cfeead4ea

    • SHA1

      268e8aac48146555279c8464348f7715f360f81b

    • SHA256

      1df7fbf9fa17d2a0d1842835081786741b976a2a20fde19aabbe4f34af62df07

    • SHA512

      1a3a8d2dee581d6126303f6c11286c354b5d46efc37cac20eaf2f288aa72f5a9f71f71ccabca826fe29a9ce07cce2a87b22435442f3547b4f5841b5fd79c16fa

    • SSDEEP

      6144:GQpGhV3Cbp8Ka7UqqaaRyHIQwkKaq2iuh8Qy04sBGi+oIdzdya6R/EHHKgk/kZjJ:NchO

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks