General

  • Target

    RFQ.js

  • Size

    38KB

  • Sample

    221025-llhatacbg9

  • MD5

    55bc28c01b5976751a15f6bb64ad0f22

  • SHA1

    fa5ff05827c6e39b326078da28fa0b0533b7eb5a

  • SHA256

    e129f1f9e9b65e0f740decd35719b12553aafe2a0869b1d0e73a40014770ea3a

  • SHA512

    72a5acfa9d56235050f3be16721aed5d1b613e35997f5c2c2bc0d4e3626479b3c15a5e7d33ad85aa21f87299d7f722454ddd6fc60c2db101e94c27f39063ce36

  • SSDEEP

    768:OWy/EMHoWdOrfFlqJL3WouRFCitvDo/6Pa00SalKI:7l5jNlqZ3HgFCitvDu00Sa1

Malware Config

Extracted

Family

wshrat

C2

http://harold.jetos.com:1604

Targets

    • Target

      RFQ.js

    • Size

      38KB

    • MD5

      55bc28c01b5976751a15f6bb64ad0f22

    • SHA1

      fa5ff05827c6e39b326078da28fa0b0533b7eb5a

    • SHA256

      e129f1f9e9b65e0f740decd35719b12553aafe2a0869b1d0e73a40014770ea3a

    • SHA512

      72a5acfa9d56235050f3be16721aed5d1b613e35997f5c2c2bc0d4e3626479b3c15a5e7d33ad85aa21f87299d7f722454ddd6fc60c2db101e94c27f39063ce36

    • SSDEEP

      768:OWy/EMHoWdOrfFlqJL3WouRFCitvDo/6Pa00SalKI:7l5jNlqZ3HgFCitvDu00Sa1

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks