Overview

overview

10

Static

static

1

PendingInv....JS.js

windows7-x64

10

PendingInv....JS.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PendingInvoiceBankDetails.JS.js

  • Size

    1.1MB

  • Sample

    240502-z1kw5sfd8s

  • MD5

    45ece63fd62550c00c23129d45acc6ae

  • SHA1

    428b9734401dbb1c71cbe84894be3ac54f7f8f0f

  • SHA256

    60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

  • SHA512

    35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

  • SSDEEP

    24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      PendingInvoiceBankDetails.JS.js

    • Size

      1.1MB

    • MD5

      45ece63fd62550c00c23129d45acc6ae

    • SHA1

      428b9734401dbb1c71cbe84894be3ac54f7f8f0f

    • SHA256

      60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

    • SHA512

      35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

    • SSDEEP

      24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks