General

  • Target

    proof of payment.001.rar

  • Size

    14KB

  • Sample

    221024-pqnj6sgfgn

  • MD5

    93b507e5fe85f2e4d84374cd4c1424cd

  • SHA1

    42f52462f338dce7a6e3f52a8c4b8b5d18297bc8

  • SHA256

    d342cec59ebc05ff56c40ee2ffb1024883d89532f32ee3f2b53cc1ca57eb5259

  • SHA512

    aca765541b5d66262b2f32f59939a590b06bcd21f0bdb702c18716234ccbcb856ed2561f7f0104e2e472485eed292cb4066fb69318c680685c75cfc1861b1a9b

  • SSDEEP

    384:RvHlFIAFNVZirtoSeGj5wTXzCg9VLHOxUx7mmiQyAuRP5665P2:1lNFweGlw3VL/7NB1uRh6W+

Malware Config

Extracted

Family

wshrat

C2

http://chuks.wikaba.com:6424

Targets

    • Target

      proof of payment.js

    • Size

      39KB

    • MD5

      5b6e9a548c15dc32988b91c6ca5ec2df

    • SHA1

      af63806323c07129c6dcb138971496baeeddc856

    • SHA256

      c91bae3e00eabcee11b278419c503cbb28f94372f349ff56d0d04207d5f1e7fe

    • SHA512

      19040cb6e11a250ed47ec77c364fef8f000b83dbf2021825c308af58cbd15735dd2f3e56074603482ed5e3fa7671c46dd72ca154479c6138ebcc17731b2e80ad

    • SSDEEP

      768:Ft7X36ZgnCdZ2xYUTn2rXoevZwPUJzUXE5:FdaWnCdZ8YUT8oevyozGE5

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks