General

  • Target

    INTERAC Service Request9466544665440.js

  • Size

    3KB

  • Sample

    211008-metkyadgh6

  • MD5

    38ecf70cf09d8c499546c01c028dd70f

  • SHA1

    d4d57eeb688d2abe1eeae5b0dc142d588246648b

  • SHA256

    7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d

  • SHA512

    bd92d0a81b6c9b553d11ace0f680f677a727de965703205955c92650ed43fe68f593b228e62d90acafc53e34864e4715eebd877808e2b160ee1d3dfeaf9462bc

Malware Config

Extracted

Family

vjw0rm

C2

http://jswormpeople.duckdns.org:1921

Targets

    • Target

      INTERAC Service Request9466544665440.js

    • Size

      3KB

    • MD5

      38ecf70cf09d8c499546c01c028dd70f

    • SHA1

      d4d57eeb688d2abe1eeae5b0dc142d588246648b

    • SHA256

      7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d

    • SHA512

      bd92d0a81b6c9b553d11ace0f680f677a727de965703205955c92650ed43fe68f593b228e62d90acafc53e34864e4715eebd877808e2b160ee1d3dfeaf9462bc

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks