General

  • Target

    proof of payment.js

  • Size

    996KB

  • Sample

    230518-q6w2xsbg89

  • MD5

    7135b41aea77a2b6c6c7596a539b4969

  • SHA1

    8ffe998003f2049c4853a86e9fcaf9fb77a2d175

  • SHA256

    4f59887cc69a47f38ada16e76602ed520e235c9638923b8c17378c64252bd9fe

  • SHA512

    804889018a76e00853f1207c129aaff3dfb8c7ed3de570195db2d1c4eb7de3a533ba294dfc2d5a63075267faffcb0547634a3659e75400955aa8e1f2373367b9

  • SSDEEP

    6144:QQu9MZdOv/meeqFp/3Rxc/uzchRhVKlb90kNgQgaIZolrVBYWr+Uqb2KKV/mClfV:TCp

Score
10/10

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Targets

    • Target

      proof of payment.js

    • Size

      996KB

    • MD5

      7135b41aea77a2b6c6c7596a539b4969

    • SHA1

      8ffe998003f2049c4853a86e9fcaf9fb77a2d175

    • SHA256

      4f59887cc69a47f38ada16e76602ed520e235c9638923b8c17378c64252bd9fe

    • SHA512

      804889018a76e00853f1207c129aaff3dfb8c7ed3de570195db2d1c4eb7de3a533ba294dfc2d5a63075267faffcb0547634a3659e75400955aa8e1f2373367b9

    • SSDEEP

      6144:QQu9MZdOv/meeqFp/3Rxc/uzchRhVKlb90kNgQgaIZolrVBYWr+Uqb2KKV/mClfV:TCp

    Score
    10/10
    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks