Overview

overview

10

Static

static

1

ORDER-2436788-EQU.js

windows7-x64

10

ORDER-2436788-EQU.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER-2436788-EQU.js

  • Size

    7KB

  • Sample

    240406-janmcaeb56

  • MD5

    c6c65e265e4022e202e8c7f5e64271e9

  • SHA1

    2f6dc1c70380f2c98fea5f98cdf77a17046dfb67

  • SHA256

    06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637

  • SHA512

    22a2159efe41cdd86b883b24264fcd6c713a120c0a197cc9ccf2b33d1d79773fd3dfbb1ff1f3dbc782e429c845b33f46bea459d8c6ccd67aabfe669061409dae

  • SSDEEP

    96:9HuztrQH4tdyUCF4Z4mU44WCFvrUftdyUCFAKzoRfzuzhdfzuzMDDS7KTLttdyUJ:+8sNLOSBJ13DJxkRW2g0PNL1NWPNG3N

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-2436788-EQU.js

    • Size

      7KB

    • MD5

      c6c65e265e4022e202e8c7f5e64271e9

    • SHA1

      2f6dc1c70380f2c98fea5f98cdf77a17046dfb67

    • SHA256

      06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637

    • SHA512

      22a2159efe41cdd86b883b24264fcd6c713a120c0a197cc9ccf2b33d1d79773fd3dfbb1ff1f3dbc782e429c845b33f46bea459d8c6ccd67aabfe669061409dae

    • SSDEEP

      96:9HuztrQH4tdyUCF4Z4mU44WCFvrUftdyUCFAKzoRfzuzhdfzuzMDDS7KTLttdyUJ:+8sNLOSBJ13DJxkRW2g0PNL1NWPNG3N

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks