General
-
Target
kmEgggSTWx_ayorecover.js
-
Size
259KB
-
Sample
221109-t9e5cscafq
-
MD5
108b2fbde6df04fe96ba0448355d7252
-
SHA1
7a5672788accfedd5f4ec62986e88e2def75f1c7
-
SHA256
950be081ea324e3251d4dc0f6d3a5a6af714ebd929e2d9b35cfff08202751e52
-
SHA512
d5277ccc2ef7e184575719f05b4610a5fd9ec93595bf911fb4f3ff5c19768fbe5cc39e5695db9b4afb612ffe987414b5eaa72b6515044f5f88fd1b885e6d2983
-
SSDEEP
6144:uaQ+pTUljmE7MEvL8nmSsRxTM4vr2sn513CrjQ0kP:uaQQKXL8noL2c3QW
Static task
static1
Behavioral task
behavioral1
Sample
kmEgggSTWx_ayorecover.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
kmEgggSTWx_ayorecover.js
Resource
win10v2004-20220901-en
Malware Config
Extracted
wshrat
http://45.139.105.174:3670
Targets
-
-
Target
kmEgggSTWx_ayorecover.js
-
Size
259KB
-
MD5
108b2fbde6df04fe96ba0448355d7252
-
SHA1
7a5672788accfedd5f4ec62986e88e2def75f1c7
-
SHA256
950be081ea324e3251d4dc0f6d3a5a6af714ebd929e2d9b35cfff08202751e52
-
SHA512
d5277ccc2ef7e184575719f05b4610a5fd9ec93595bf911fb4f3ff5c19768fbe5cc39e5695db9b4afb612ffe987414b5eaa72b6515044f5f88fd1b885e6d2983
-
SSDEEP
6144:uaQ+pTUljmE7MEvL8nmSsRxTM4vr2sn513CrjQ0kP:uaQQKXL8noL2c3QW
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-