Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Order_CIQ1154500.js

  • Size

    264KB

  • Sample

    221019-qc7xbshfbl

  • MD5

    e7aede188ac796441ed5e5ca540380e1

  • SHA1

    e1c57ba8d14b0bb1a178f3421b8ac2d91bccac4a

  • SHA256

    cd5174fc461fe40d27c5c0dfc1276455214c8e102e833dab0ec83c94235d9bdd

  • SHA512

    5d7419887e76e2d374191aac40b3bac7e3cdd7208ba5f816bbc93491e47608b08a2b58cb267d09802f13af5f9644c5a72e1c21a389cf65148e11b90e838d55f7

  • SSDEEP

    6144:Vgo2Vc81hNSE+ybe1wDTeyMWy3eaNvwm9rf12kG3o:hwWybeMIezmen4

Malware Config

Extracted

Family

wshrat

C2

http://thehokage22.ddns.net:4488

Targets

    • Target

      Order_CIQ1154500.js

    • Size

      264KB

    • MD5

      e7aede188ac796441ed5e5ca540380e1

    • SHA1

      e1c57ba8d14b0bb1a178f3421b8ac2d91bccac4a

    • SHA256

      cd5174fc461fe40d27c5c0dfc1276455214c8e102e833dab0ec83c94235d9bdd

    • SHA512

      5d7419887e76e2d374191aac40b3bac7e3cdd7208ba5f816bbc93491e47608b08a2b58cb267d09802f13af5f9644c5a72e1c21a389cf65148e11b90e838d55f7

    • SSDEEP

      6144:Vgo2Vc81hNSE+ybe1wDTeyMWy3eaNvwm9rf12kG3o:hwWybeMIezmen4

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks