General
-
Target
wp.js
-
Size
1.4MB
-
Sample
250411-hz9qfaswcv
-
MD5
857f67c3c3b29c9ace48abcf72060c32
-
SHA1
0211ac715317080c337e0419c7eb87d697b55b4d
-
SHA256
e60e527d07220d6220935a9d47478d2bf9cc550b7a32e9944ea44e32d9e3aa8f
-
SHA512
5429386e60f608dcbb382626f8997a0413996301f74605d501237c3f1efd5c05b448393b832e7f4718a632835e2942562e58b7029747d4320284e01b8d0254fc
-
SSDEEP
12288:7L2iQj9rCEtkvPpPDT/KxtEGHeBzkBtESkwPyfVcOcPEtLbxhqxf3ht13Ah6hXgZ:90IEIPK9VQNnN5rwryie1fpU1jSH6j+p
Malware Config
Extracted
wshrat
http://chongmei33.myddns.rocks:7045
Targets
-
-
Target
wp.js
-
Size
1.4MB
-
MD5
857f67c3c3b29c9ace48abcf72060c32
-
SHA1
0211ac715317080c337e0419c7eb87d697b55b4d
-
SHA256
e60e527d07220d6220935a9d47478d2bf9cc550b7a32e9944ea44e32d9e3aa8f
-
SHA512
5429386e60f608dcbb382626f8997a0413996301f74605d501237c3f1efd5c05b448393b832e7f4718a632835e2942562e58b7029747d4320284e01b8d0254fc
-
SSDEEP
12288:7L2iQj9rCEtkvPpPDT/KxtEGHeBzkBtESkwPyfVcOcPEtLbxhqxf3ht13Ah6hXgZ:90IEIPK9VQNnN5rwryie1fpU1jSH6j+p
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1