Overview

overview

10

Static

static

1

mghc.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mghc.js

  • Size

    1.5MB

  • Sample

    250411-httf9sstdz

  • MD5

    d988a34cdd969239c90ce929f2790bfd

  • SHA1

    4564094c75a164819446681e048259b137bf2330

  • SHA256

    7f38be2593e003aaac7adcd4ee19587d85f62b32821cad87ca784f5abf1269e6

  • SHA512

    d2274ccc82e96a74b71ff464f87d3118032e7e70e32ed4c527261e44daf71a250af3d624a4fdf2a505f2f3b826a18523e2b68d53368a44ee2b6e547a0d99a004

  • SSDEEP

    24576:k4k3obSkRF2IWZO1OFnRgEUnB23Zx00aDLXM:qobrNsE0D

Score
10/10
wshratdiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://lee44.kozow.com:6892

Targets

    • Target

      mghc.js

    • Size

      1.5MB

    • MD5

      d988a34cdd969239c90ce929f2790bfd

    • SHA1

      4564094c75a164819446681e048259b137bf2330

    • SHA256

      7f38be2593e003aaac7adcd4ee19587d85f62b32821cad87ca784f5abf1269e6

    • SHA512

      d2274ccc82e96a74b71ff464f87d3118032e7e70e32ed4c527261e44daf71a250af3d624a4fdf2a505f2f3b826a18523e2b68d53368a44ee2b6e547a0d99a004

    • SSDEEP

      24576:k4k3obSkRF2IWZO1OFnRgEUnB23Zx00aDLXM:qobrNsE0D

    Score
    10/10
    wshratdiscoveryexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Wshrat family

      wshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v16

Tasks