General

  • Target

    nANPLEldnw_wynmove.js

  • Size

    51KB

  • Sample

    221029-yjm5hadbgm

  • MD5

    032af7044cd24261edb9bcc78aec4a74

  • SHA1

    0d0719e82440cf617227f7676c94ab924988f0a9

  • SHA256

    de95f97b146776465278d026f995f78dd87b3398086e358c96ba49f233be8c40

  • SHA512

    19e6daa5874fc193421a8d4f40743d498fd85e19ad3ac18400666697e5f721bc42b9711bf48118db16212ff994d84673f9590e014264169976703f9fa042a356

  • SSDEEP

    768:dUONBbwCi/M63wjVNAZF/yIaf9fgsQ7DQCD6zsgvic1Vfr/GIVcnIMHJ8coORRLK:HLidkVNAz/Jaf9eDQCmzcifLyscoOLLK

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      nANPLEldnw_wynmove.js

    • Size

      51KB

    • MD5

      032af7044cd24261edb9bcc78aec4a74

    • SHA1

      0d0719e82440cf617227f7676c94ab924988f0a9

    • SHA256

      de95f97b146776465278d026f995f78dd87b3398086e358c96ba49f233be8c40

    • SHA512

      19e6daa5874fc193421a8d4f40743d498fd85e19ad3ac18400666697e5f721bc42b9711bf48118db16212ff994d84673f9590e014264169976703f9fa042a356

    • SSDEEP

      768:dUONBbwCi/M63wjVNAZF/yIaf9fgsQ7DQCD6zsgvic1Vfr/GIVcnIMHJ8coORRLK:HLidkVNAz/Jaf9eDQCmzcifLyscoOLLK

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks