General

  • Target

    RwIrirknXs_ayomover.js

  • Size

    38KB

  • Sample

    221107-nm94bsdfh4

  • MD5

    2ecd5267ef6d1c6b9d408455e31ff51c

  • SHA1

    d1ad6a09325762d473a88bf58f94f2c1c2fe6887

  • SHA256

    89b864024b209caf737f4a3d327b9ac3206b7ca42d3db0a5c341ab7447208d3d

  • SHA512

    72b161be6586192e974c8b2cab26a460f169555bf0700e49636e6fc1def5f568fafee3fef3275026401ca772770e213e11a74a6d26f06846f578d06379755f75

  • SSDEEP

    768:RXn4T2lDrXFo97eZgKCKfQf32OkH1u4cpWT5SfLC9KUArORn:RXn46lNg7e+K7QfmOkH12WT5SfLs5Ari

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      RwIrirknXs_ayomover.js

    • Size

      38KB

    • MD5

      2ecd5267ef6d1c6b9d408455e31ff51c

    • SHA1

      d1ad6a09325762d473a88bf58f94f2c1c2fe6887

    • SHA256

      89b864024b209caf737f4a3d327b9ac3206b7ca42d3db0a5c341ab7447208d3d

    • SHA512

      72b161be6586192e974c8b2cab26a460f169555bf0700e49636e6fc1def5f568fafee3fef3275026401ca772770e213e11a74a6d26f06846f578d06379755f75

    • SSDEEP

      768:RXn4T2lDrXFo97eZgKCKfQf32OkH1u4cpWT5SfLC9KUArORn:RXn46lNg7e+K7QfmOkH12WT5SfLs5Ari

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks