General

  • Target

    b4420793217d8bd201ba7f61b863873c7ec1befa308d9eea52b90cb2cbc4d1a9.js

  • Size

    616KB

  • Sample

    240508-c6g14see3s

  • MD5

    146543805fbb1a73135ca00f2899118f

  • SHA1

    f13878fd653431ab505ee248abe931880faab471

  • SHA256

    b4420793217d8bd201ba7f61b863873c7ec1befa308d9eea52b90cb2cbc4d1a9

  • SHA512

    efad864edb7dff50ef656481de3664f0752449ffc4b3c4cebc4fd5fe3b241c663c2948eb6c93c20e68b1ffd0a19061b8200c2a779bf55a6746827aa9b23a53a0

  • SSDEEP

    12288:OYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEM+:OYeIrWr/qRigAyX/kngXFbjTLvaH28n1

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      b4420793217d8bd201ba7f61b863873c7ec1befa308d9eea52b90cb2cbc4d1a9.js

    • Size

      616KB

    • MD5

      146543805fbb1a73135ca00f2899118f

    • SHA1

      f13878fd653431ab505ee248abe931880faab471

    • SHA256

      b4420793217d8bd201ba7f61b863873c7ec1befa308d9eea52b90cb2cbc4d1a9

    • SHA512

      efad864edb7dff50ef656481de3664f0752449ffc4b3c4cebc4fd5fe3b241c663c2948eb6c93c20e68b1ffd0a19061b8200c2a779bf55a6746827aa9b23a53a0

    • SSDEEP

      12288:OYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEM+:OYeIrWr/qRigAyX/kngXFbjTLvaH28n1

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks