General
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
127KB
-
Sample
220617-pk183sbhgm
-
MD5
ca725f6c53d5cd93cdec59ea14d8493e
-
SHA1
ca8118f5fa816e134340e114bccf2e2c2c9605b3
-
SHA256
e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
-
SHA512
4b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
Malware Config
Extracted
wshrat
http://62.102.148.154:4044
Targets
-
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
127KB
-
MD5
ca725f6c53d5cd93cdec59ea14d8493e
-
SHA1
ca8118f5fa816e134340e114bccf2e2c2c9605b3
-
SHA256
e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
-
SHA512
4b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-