Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PO.js

  • Size

    5KB

  • Sample

    221101-k2qrfsahhm

  • MD5

    2847ee58cb7ef2bc9d410ad73a15961f

  • SHA1

    701a342c49ec6d2c802847157e6a68154168bbf8

  • SHA256

    6b12cfb0d109c8944d64556320bb63e2b0a287b8583c16cc4eb3b32f86fe31c8

  • SHA512

    3245868c4700d28843fc98e6e15eefc269da745b334bc3678f1710d1a7520305bfd5dc2c2cc87ebdd6e114f850eebcb69b55d3f2297d560b5d55621203ee78e6

  • SSDEEP

    96:u9GyFqVgE4DBLSjsg2B7pikxVHFQba/40zpzw4wu+huzLsFZZRKC8CEsrYcshAiR:VuEgBOwZFiO+a/40zNw4wFSLYZRHEsrs

Malware Config

Extracted

Family

vjw0rm

C2

http://212.193.30.230:6505

Extracted

Family

wshrat

C2

http://212.193.30.230:3605

http://212.193.30.230:7780

Targets

    • Target

      PO.js

    • Size

      5KB

    • MD5

      2847ee58cb7ef2bc9d410ad73a15961f

    • SHA1

      701a342c49ec6d2c802847157e6a68154168bbf8

    • SHA256

      6b12cfb0d109c8944d64556320bb63e2b0a287b8583c16cc4eb3b32f86fe31c8

    • SHA512

      3245868c4700d28843fc98e6e15eefc269da745b334bc3678f1710d1a7520305bfd5dc2c2cc87ebdd6e114f850eebcb69b55d3f2297d560b5d55621203ee78e6

    • SSDEEP

      96:u9GyFqVgE4DBLSjsg2B7pikxVHFQba/40zpzw4wu+huzLsFZZRKC8CEsrYcshAiR:VuEgBOwZFiO+a/40zNw4wFSLYZRHEsrs

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks