General

  • Target

    suBZaIZZSy_ayomover.js

  • Size

    41KB

  • Sample

    221111-l8hvvsed75

  • MD5

    e74c17c1cd2391f4196165b7ff5835cd

  • SHA1

    89fd7a28e6732864e7af863c0db67aa4b7910020

  • SHA256

    f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743

  • SHA512

    ea31d7b1a77ce34973a0678c3363d1a8257bd98413696737d8546546a49f387ab96e8f9c3bc7bf5aff42e87868e19ee850b434bf819a430658865c6e93bc24ac

  • SSDEEP

    768:5UIzYbki0LNFL2VDPXho7e78+CrbMxFk9G9Fmw1ozKihyOXDhTnZfu+E:uB0LNFyVdge78NrgxFk94Fmw1RiYOXDO

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      suBZaIZZSy_ayomover.js

    • Size

      41KB

    • MD5

      e74c17c1cd2391f4196165b7ff5835cd

    • SHA1

      89fd7a28e6732864e7af863c0db67aa4b7910020

    • SHA256

      f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743

    • SHA512

      ea31d7b1a77ce34973a0678c3363d1a8257bd98413696737d8546546a49f387ab96e8f9c3bc7bf5aff42e87868e19ee850b434bf819a430658865c6e93bc24ac

    • SSDEEP

      768:5UIzYbki0LNFL2VDPXho7e78+CrbMxFk9G9Fmw1ozKihyOXDhTnZfu+E:uB0LNFyVdge78NrgxFk94Fmw1RiYOXDO

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks