vjw0rm | 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be | Triage

Sharing

General

Target

PO MFG ORDER W124494 - 2021-10-18 0009.js
Size

45KB
Sample

211019-kfa4wafdg6
MD5

225bff43c2aa2095bbc11f358628e2a1
SHA1

81645b5fa0518200da4b145cb3428e702cb76244
SHA256

1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
SHA512

af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://fax-joh.dyn-ip24.de:20224

Targets

- Target
  
  PO MFG ORDER W124494 - 2021-10-18 0009.js
- Size
  
  45KB
- MD5
  
  225bff43c2aa2095bbc11f358628e2a1
- SHA1
  
  81645b5fa0518200da4b145cb3428e702cb76244
- SHA256
  
  1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
- SHA512
  
  af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm