Overview

overview

10

Static

static

1

wpp.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wpp.js

  • Size

    1.3MB

  • Sample

    250411-hs9rvssmw9

  • MD5

    95643ad15dcfc79f7421c8ceef1db756

  • SHA1

    238c841d72a2615900ab0f373a438d56e660bbf5

  • SHA256

    f917f31216deb0765e687fed60323e7b6a317002febb1e2b0b6999baff8690ba

  • SHA512

    77ae8f0823d32f6bf6221d3788130813603e16f84feba2019e836fd4a753478a8bd42a79ef2bdf329a5ef532eeec9f6d08924bf80d60e79efff4a0040ee68cb6

  • SSDEEP

    12288:uuN4/UiN7GcJM7mJyoRW60PY2EV1w9m+MoJMsn6GlX:buRpbgmW1PYHreJMsn6U

Score
10/10
wshratdiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Targets

    • Target

      wpp.js

    • Size

      1.3MB

    • MD5

      95643ad15dcfc79f7421c8ceef1db756

    • SHA1

      238c841d72a2615900ab0f373a438d56e660bbf5

    • SHA256

      f917f31216deb0765e687fed60323e7b6a317002febb1e2b0b6999baff8690ba

    • SHA512

      77ae8f0823d32f6bf6221d3788130813603e16f84feba2019e836fd4a753478a8bd42a79ef2bdf329a5ef532eeec9f6d08924bf80d60e79efff4a0040ee68cb6

    • SSDEEP

      12288:uuN4/UiN7GcJM7mJyoRW60PY2EV1w9m+MoJMsn6GlX:buRpbgmW1PYHreJMsn6U

    Score
    10/10
    wshratdiscoveryexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Wshrat family

      wshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v16

Tasks