General

  • Target

    Payment Notification.js

  • Size

    1009KB

  • Sample

    230522-krm8ksfb73

  • MD5

    e7fcc6eafeb8d232acb424cf11a72144

  • SHA1

    4c16409adece66c53e8b1caf87f6bd6f30e611e8

  • SHA256

    4854f4cdfc2cc56b7e62e3cb3503e4d2873207bd1dd99805f3c39a666a1473b5

  • SHA512

    5e03618e89145435b49aaeaccb3b40886a44ecf752c8bf49a1284e8b2a647c7492199c8a2ad13c0393ae591d71f221c09ecd0e2be93b76a8fee6a29196128949

  • SSDEEP

    3072:QQLlH0xKE8W8za9r6HLb6kyVIksLgu9M/z/SjANqyCCn50jPjSF:QQG

Score
10/10

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Targets

    • Target

      Payment Notification.js

    • Size

      1009KB

    • MD5

      e7fcc6eafeb8d232acb424cf11a72144

    • SHA1

      4c16409adece66c53e8b1caf87f6bd6f30e611e8

    • SHA256

      4854f4cdfc2cc56b7e62e3cb3503e4d2873207bd1dd99805f3c39a666a1473b5

    • SHA512

      5e03618e89145435b49aaeaccb3b40886a44ecf752c8bf49a1284e8b2a647c7492199c8a2ad13c0393ae591d71f221c09ecd0e2be93b76a8fee6a29196128949

    • SSDEEP

      3072:QQLlH0xKE8W8za9r6HLb6kyVIksLgu9M/z/SjANqyCCn50jPjSF:QQG

    Score
    10/10
    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks