Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SIUCI ORDER.js

  • Size

    38KB

  • Sample

    220921-qf3f1sbhen

  • MD5

    0aacaf9bf1e78783b3e509986061f7e2

  • SHA1

    f9e45bbbd3a6f06472d99e0422b2a749c3b2ff67

  • SHA256

    484410bc273d5c56528ebc42e0ae23e5b3af00a56a5abf6c66ac3df5d80b62e9

  • SHA512

    58eabe5da6b6b83c2640a1827e69fb8007cc4b08dddab97a726c990d05850204a770e47168b26f5c74c9231f2739b338a66b363a1a9630e1791fd8d15b802293

  • SSDEEP

    384:MS8D/T5zKRkowoXxlgYj+grrvtbzUSbJsiXYhRCBvMki6s8emZGoD45uyrtDGrM3:eDx0NFXku+aCp606su45Nt9QnY5qzC

Malware Config

Extracted

Family

wshrat

C2

http://goods.camdvr.org:2888

Targets

    • Target

      SIUCI ORDER.js

    • Size

      38KB

    • MD5

      0aacaf9bf1e78783b3e509986061f7e2

    • SHA1

      f9e45bbbd3a6f06472d99e0422b2a749c3b2ff67

    • SHA256

      484410bc273d5c56528ebc42e0ae23e5b3af00a56a5abf6c66ac3df5d80b62e9

    • SHA512

      58eabe5da6b6b83c2640a1827e69fb8007cc4b08dddab97a726c990d05850204a770e47168b26f5c74c9231f2739b338a66b363a1a9630e1791fd8d15b802293

    • SSDEEP

      384:MS8D/T5zKRkowoXxlgYj+grrvtbzUSbJsiXYhRCBvMki6s8emZGoD45uyrtDGrM3:eDx0NFXku+aCp606su45Nt9QnY5qzC

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks