General

  • Target

    Quotation Request.js

  • Size

    44KB

  • Sample

    221109-rmtywshfa4

  • MD5

    9f09acf3f30f2b09d7509a7eda87a14e

  • SHA1

    d833eb8a70209454b68df1fcd10c54832298231f

  • SHA256

    ee442f3b315081d57f588d3a260b3f6b53a374113ef6de989250b8a36cc131e2

  • SHA512

    9413f70f28f039d60e5dc0ad7edbcf87aa73e8ab317c45616eb612ebdd80e8f6465992d43b738af9560fbe718221b616de977eac6ee5d6fb4cd65807ae9ffff1

  • SSDEEP

    768:5UDwr0mf+kAzUOOCqret7eYpcFL3aXiSBQcvYcVPfzXBf0VzUw0Oz+:uYf+FzkhitdmbxSBeEfdMow0OS

Malware Config

Extracted

Family

wshrat

C2

http://kmajewska.duckdns.org:2556

Targets

    • Target

      Quotation Request.js

    • Size

      44KB

    • MD5

      9f09acf3f30f2b09d7509a7eda87a14e

    • SHA1

      d833eb8a70209454b68df1fcd10c54832298231f

    • SHA256

      ee442f3b315081d57f588d3a260b3f6b53a374113ef6de989250b8a36cc131e2

    • SHA512

      9413f70f28f039d60e5dc0ad7edbcf87aa73e8ab317c45616eb612ebdd80e8f6465992d43b738af9560fbe718221b616de977eac6ee5d6fb4cd65807ae9ffff1

    • SSDEEP

      768:5UDwr0mf+kAzUOOCqret7eYpcFL3aXiSBQcvYcVPfzXBf0VzUw0Oz+:uYf+FzkhitdmbxSBeEfdMow0OS

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks