Extracted

• • Target

    AWB NO - 4806763435.js

  • Size

    304KB

  • MD5

    0cdef7f1449aca5a0c1439844d33a593

  • SHA1

    9ef5f183e1253b349549ed704e35deba2b439bde

  • SHA256

    7367743f876ffc7a318d768e51dd4b9323b8e7561b67827eca9ab0a2c1e670e4

  • SHA512

    d9547601d7b6d4b771cbb74dbcd0d65db1dea7f6766a47b7567b31e8102172d268eee02108c47d526ac3b7f2a6a8015e757f86d355d17ff7fd9b642e95eaf3b1

  • SSDEEP

    6144:pmnZ8AVCSuhEg9s44GY5Yi3CM2OMZ0PQ8xa6nlF20xuf:8hb/z5j3CMXVDKa+

  Score

  10^/10

  vjw0rmwshratpersistencetrojanworm

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2