General

  • Target

    Scan0030.js

  • Size

    898KB

  • Sample

    230508-qacneaaf99

  • MD5

    b2b05e1631db082866c8f9d38cddf403

  • SHA1

    3f19e69b66bf8c50993b55e5744818e3e92d4156

  • SHA256

    c7805522f881cfa27c3cc92917f28da0f770d1e4ffe5aa170751058553da73ed

  • SHA512

    7b7f6ab57bb555e07bd39e21e1470ea73c2dc4c1fa97bc1bbfb3361f8f2659d503a445a90e4125556a2ceba4236f83a077961340c435db0e070a91f6269d4c56

  • SSDEEP

    6144:ROD297zg2plJPacQwE6hkpA0LysIfFk9jvCsYS9H17d9qFPNL6Z4MnJHI9Q6NCwU:+LP

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      Scan0030.js

    • Size

      898KB

    • MD5

      b2b05e1631db082866c8f9d38cddf403

    • SHA1

      3f19e69b66bf8c50993b55e5744818e3e92d4156

    • SHA256

      c7805522f881cfa27c3cc92917f28da0f770d1e4ffe5aa170751058553da73ed

    • SHA512

      7b7f6ab57bb555e07bd39e21e1470ea73c2dc4c1fa97bc1bbfb3361f8f2659d503a445a90e4125556a2ceba4236f83a077961340c435db0e070a91f6269d4c56

    • SSDEEP

      6144:ROD297zg2plJPacQwE6hkpA0LysIfFk9jvCsYS9H17d9qFPNL6Z4MnJHI9Q6NCwU:+LP

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks