General

  • Target

    GXPhmnNRPG_wynmove.js

  • Size

    38KB

  • Sample

    221025-lnfvrscbh8

  • MD5

    3dff90e5de574801e0a812ed337429eb

  • SHA1

    1e0187f461e12cdc313640af5d5a82402f1fc121

  • SHA256

    869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3

  • SHA512

    b77867ed63406be2a6c084141062bec420e37ea3862efa363cd460f098cb7a7faf83bf3d76a3abb9fbd7a595bf4a5b45913d0774d6cb982af60db713c25e42fb

  • SSDEEP

    768:j3hbrMfo56OPGgF7aM4gF8wsZ1va/a9zcHEdYHzePb:7tRsS7aMPCwsZ14a9zcH+IzePb

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      GXPhmnNRPG_wynmove.js

    • Size

      38KB

    • MD5

      3dff90e5de574801e0a812ed337429eb

    • SHA1

      1e0187f461e12cdc313640af5d5a82402f1fc121

    • SHA256

      869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3

    • SHA512

      b77867ed63406be2a6c084141062bec420e37ea3862efa363cd460f098cb7a7faf83bf3d76a3abb9fbd7a595bf4a5b45913d0774d6cb982af60db713c25e42fb

    • SSDEEP

      768:j3hbrMfo56OPGgF7aM4gF8wsZ1va/a9zcHEdYHzePb:7tRsS7aMPCwsZ14a9zcH+IzePb

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks