General

  • Target

    RFQ.js

  • Size

    38KB

  • Sample

    221027-vp9znsdabr

  • MD5

    4e560201c077de489d5decef56c8ba29

  • SHA1

    e05a3b6beb5938a63d4f0e165fe0d61dd51f9cc0

  • SHA256

    ae64d93368bda8560f4cc393f48279997027ec39cf8751bc0f433d7e2a63cbf6

  • SHA512

    4880d420b3da9b66d4e6ec5bddbf6b4d6f6260b8e8624cf1971887615543980b72efa74277825eb9c6b2244be845cff187fb0f246603ee8c0502de7917fd2cbb

  • SSDEEP

    768:8dKVLImlocTOFUFrgpVPWuu1NAifXlAhQ9OFs0SasA:qKG9ROrgbPRMNAifXlWs0SaR

Malware Config

Extracted

Family

wshrat

C2

http://harold.jetos.com:1604

Targets

    • Target

      RFQ.js

    • Size

      38KB

    • MD5

      4e560201c077de489d5decef56c8ba29

    • SHA1

      e05a3b6beb5938a63d4f0e165fe0d61dd51f9cc0

    • SHA256

      ae64d93368bda8560f4cc393f48279997027ec39cf8751bc0f433d7e2a63cbf6

    • SHA512

      4880d420b3da9b66d4e6ec5bddbf6b4d6f6260b8e8624cf1971887615543980b72efa74277825eb9c6b2244be845cff187fb0f246603ee8c0502de7917fd2cbb

    • SSDEEP

      768:8dKVLImlocTOFUFrgpVPWuu1NAifXlAhQ9OFs0SasA:qKG9ROrgbPRMNAifXlWs0SaR

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks