General

  • Target

    test.JS

  • Size

    1.1MB

  • Sample

    240503-gk5x9sgf8t

  • MD5

    45ece63fd62550c00c23129d45acc6ae

  • SHA1

    428b9734401dbb1c71cbe84894be3ac54f7f8f0f

  • SHA256

    60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

  • SHA512

    35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

  • SSDEEP

    24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      test.JS

    • Size

      1.1MB

    • MD5

      45ece63fd62550c00c23129d45acc6ae

    • SHA1

      428b9734401dbb1c71cbe84894be3ac54f7f8f0f

    • SHA256

      60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

    • SHA512

      35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

    • SSDEEP

      24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks