General

  • Target

    kmEgggSTWx_ayorecover.js

  • Size

    259KB

  • Sample

    221109-t9e5cscafq

  • MD5

    108b2fbde6df04fe96ba0448355d7252

  • SHA1

    7a5672788accfedd5f4ec62986e88e2def75f1c7

  • SHA256

    950be081ea324e3251d4dc0f6d3a5a6af714ebd929e2d9b35cfff08202751e52

  • SHA512

    d5277ccc2ef7e184575719f05b4610a5fd9ec93595bf911fb4f3ff5c19768fbe5cc39e5695db9b4afb612ffe987414b5eaa72b6515044f5f88fd1b885e6d2983

  • SSDEEP

    6144:uaQ+pTUljmE7MEvL8nmSsRxTM4vr2sn513CrjQ0kP:uaQQKXL8noL2c3QW

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Targets

    • Target

      kmEgggSTWx_ayorecover.js

    • Size

      259KB

    • MD5

      108b2fbde6df04fe96ba0448355d7252

    • SHA1

      7a5672788accfedd5f4ec62986e88e2def75f1c7

    • SHA256

      950be081ea324e3251d4dc0f6d3a5a6af714ebd929e2d9b35cfff08202751e52

    • SHA512

      d5277ccc2ef7e184575719f05b4610a5fd9ec93595bf911fb4f3ff5c19768fbe5cc39e5695db9b4afb612ffe987414b5eaa72b6515044f5f88fd1b885e6d2983

    • SSDEEP

      6144:uaQ+pTUljmE7MEvL8nmSsRxTM4vr2sn513CrjQ0kP:uaQQKXL8noL2c3QW

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks