Overview

overview

10

Static

static

10

PO 20091827994.js

windows7-x64

10

PO 20091827994.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO 20091827994.js

  • Size

    188KB

  • Sample

    230512-hgb2fsed3w

  • MD5

    e4a7014bfead25288d47e334a826bb70

  • SHA1

    0ba7cb74c5339cfaf5f8043bced60b6f0e9be74f

  • SHA256

    0508ed9357a104ac884b78d8bfe3dc7a21ac3aff689115055856452df8ea3a87

  • SHA512

    7349bc7b6336fcd9fda695fbb2ddbbfc6353d65c1c22910878142426921673c9fe646c7e238a69c26bd177e8a0cfd3a353761b6a0b4840372087d92bb73f7744

  • SSDEEP

    3072:rTsQ0bamIbIpklgVDSxGfmuZzAvEzYbURCBqZdg8piAZmC54leGK/6N:rvMoAklgF2GuuZzwERC5fC54leGKm

Score
10/10
wshratpersistencetrojan

Malware Config

Targets

    • Target

      PO 20091827994.js

    • Size

      188KB

    • MD5

      e4a7014bfead25288d47e334a826bb70

    • SHA1

      0ba7cb74c5339cfaf5f8043bced60b6f0e9be74f

    • SHA256

      0508ed9357a104ac884b78d8bfe3dc7a21ac3aff689115055856452df8ea3a87

    • SHA512

      7349bc7b6336fcd9fda695fbb2ddbbfc6353d65c1c22910878142426921673c9fe646c7e238a69c26bd177e8a0cfd3a353761b6a0b4840372087d92bb73f7744

    • SSDEEP

      3072:rTsQ0bamIbIpklgVDSxGfmuZzAvEzYbURCBqZdg8piAZmC54leGK/6N:rvMoAklgF2GuuZzwERC5fC54leGKm

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks