Overview

overview

10

Static

static

1

SoftBankNDA.js

windows7-x64

10

SoftBankNDA.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2161b5dd86e081eda035a9f959c1fc740b6ac31a47791eb7ce457965335cb5c5

  • Size

    4KB

  • Sample

    230914-3j5f1afh3s

  • MD5

    8852b0d1aeb1b62774629a89737c1164

  • SHA1

    c7ee12bbf21708953f3f87fdc2aa32368475ec08

  • SHA256

    2161b5dd86e081eda035a9f959c1fc740b6ac31a47791eb7ce457965335cb5c5

  • SHA512

    db39eafa0eb122b5d888a3389985df073b3289461311753e773e07dc16931727c94999810896d450c4273ae73ca145b0eb73452752f878ba1c118ec21706f864

  • SSDEEP

    96:DWWLkzYxaJRquZOfaZH4cPKapHAgsEMBtpbEOoWoBsLsveYqfOWLvU4fno5F:DyzNSaJ4civEcDP5LsGYaOwBno5F

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://homesafe1000.duckdns.org:1604

Targets

    • Target

      SoftBankNDA.js

    • Size

      21KB

    • MD5

      c8f19fa9f346f7409e3bba98c1e3f058

    • SHA1

      d857192d59c0ce2196925ce59436e0e36d94b6ee

    • SHA256

      645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

    • SHA512

      cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

    • SSDEEP

      384:n/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:n/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks