General

  • Target

    proof of payment.js

  • Size

    39KB

  • Sample

    221024-pb3esagdb2

  • MD5

    5b6e9a548c15dc32988b91c6ca5ec2df

  • SHA1

    af63806323c07129c6dcb138971496baeeddc856

  • SHA256

    c91bae3e00eabcee11b278419c503cbb28f94372f349ff56d0d04207d5f1e7fe

  • SHA512

    19040cb6e11a250ed47ec77c364fef8f000b83dbf2021825c308af58cbd15735dd2f3e56074603482ed5e3fa7671c46dd72ca154479c6138ebcc17731b2e80ad

  • SSDEEP

    768:Ft7X36ZgnCdZ2xYUTn2rXoevZwPUJzUXE5:FdaWnCdZ8YUT8oevyozGE5

Malware Config

Extracted

Family

wshrat

C2

http://chuks.wikaba.com:6424

Targets

    • Target

      proof of payment.js

    • Size

      39KB

    • MD5

      5b6e9a548c15dc32988b91c6ca5ec2df

    • SHA1

      af63806323c07129c6dcb138971496baeeddc856

    • SHA256

      c91bae3e00eabcee11b278419c503cbb28f94372f349ff56d0d04207d5f1e7fe

    • SHA512

      19040cb6e11a250ed47ec77c364fef8f000b83dbf2021825c308af58cbd15735dd2f3e56074603482ed5e3fa7671c46dd72ca154479c6138ebcc17731b2e80ad

    • SSDEEP

      768:Ft7X36ZgnCdZ2xYUTn2rXoevZwPUJzUXE5:FdaWnCdZ8YUT8oevyozGE5

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks