General

  • Target

    HTMoDFxlkB_ayomover.js

  • Size

    44KB

  • Sample

    221109-t9e5cscafn

  • MD5

    5171c96642f46bfd31720e6bfe867f80

  • SHA1

    5acb6f251c2c5b17433a264683fc7b5fe28fcfbe

  • SHA256

    11105ea3d96adca08d7a112ec4bbd34a96e96b0cfd140d03087463629d161e1f

  • SHA512

    5bf5f8087ccb75e986a329b7268edf2bf71a08f05d57deb80c921061b11cfe1fca88a28a9b36f189d2fe16a740ce6c35ea059ce1eae51cb7618550a4fd0a1009

  • SSDEEP

    768:5UDwr0mf+pcuzOKCq3fOb7uCa7FL3QWwx6FxGI1albKSIKX7F//xHO2E:uYf+2u9hvODaBb7wxoxGI1aYSIKX7RpG

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      HTMoDFxlkB_ayomover.js

    • Size

      44KB

    • MD5

      5171c96642f46bfd31720e6bfe867f80

    • SHA1

      5acb6f251c2c5b17433a264683fc7b5fe28fcfbe

    • SHA256

      11105ea3d96adca08d7a112ec4bbd34a96e96b0cfd140d03087463629d161e1f

    • SHA512

      5bf5f8087ccb75e986a329b7268edf2bf71a08f05d57deb80c921061b11cfe1fca88a28a9b36f189d2fe16a740ce6c35ea059ce1eae51cb7618550a4fd0a1009

    • SSDEEP

      768:5UDwr0mf+pcuzOKCq3fOb7uCa7FL3QWwx6FxGI1albKSIKX7F//xHO2E:uYf+2u9hvODaBb7wxoxGI1aYSIKX7RpG

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks