vjw0rm | 7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940 | Triage

Submit
Reports

Overview

overview

Static

static

E-receipt ...222.js

windows7_x64

E-receipt ...222.js

windows10-2004_x64

Sharing

General

Target

E-receipt #8992-WSH-276020222.js
Size

37KB
Sample

220628-y54pdacahr
MD5

85f9be3cfbb0cebf7a3f87530dce3297
SHA1

af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
SHA256

7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
SHA512

c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84

Score

10^/10

vjw0rm wshrat persistence suricata trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

E-receipt #8992-WSH-276020222.js

Resource

win7-20220414-en

vjw0rm wshrat persistence suricata trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

E-receipt #8992-WSH-276020222.js

Resource

win10v2004-20220414-en

vjw0rm wshrat persistence suricata trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

wshrat

C2

http://37.0.8.115:8992

Targets

- Target
  
  E-receipt #8992-WSH-276020222.js
- Size
  
  37KB
- MD5
  
  85f9be3cfbb0cebf7a3f87530dce3297
- SHA1
  
  af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
- SHA256
  
  7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
- SHA512
  
  c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
Score

10^/10

vjw0rm wshrat persistence suricata trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- suricata: ET MALWARE WSHRAT CnC Checkin
  suricata: ET MALWARE WSHRAT CnC Checkin
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencesuricatatrojanworm

behavioral2

vjw0rmwshratpersistencesuricatatrojanworm

© 2018-2024

Terms | Privacy