vjw0rm | b29f7ef3d2fc192562ade4242016a762ad7863c8936b30d6e91565d820734ba9 | Triage

Sharing

General

Target

Order Spec.PDF.js
Size

40KB
Sample

221129-g5mx7agc9z
MD5

866bc1d7e3b0b0f5d50f822d901cc6db
SHA1

981e383028b2672260a69f4b4210d76ad0946533
SHA256

b29f7ef3d2fc192562ade4242016a762ad7863c8936b30d6e91565d820734ba9
SHA512

00dea71438fbb27c492f3201d64ae342864cae5e3672ad9504363577570b930e6e744c6785be2d675f9439d0de821c87dfca2fc41e84cffcde1dd7bbf9d35a8b
SSDEEP

768:NKm0ftIQVmYOn+QSkQqRp2iDg0vGcxZfznJNanLPE0BcOlh:cVftIQmSkR2iDYefXWM0BcOD

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Targets

- Target
  
  Order Spec.PDF.js
- Size
  
  40KB
- MD5
  
  866bc1d7e3b0b0f5d50f822d901cc6db
- SHA1
  
  981e383028b2672260a69f4b4210d76ad0946533
- SHA256
  
  b29f7ef3d2fc192562ade4242016a762ad7863c8936b30d6e91565d820734ba9
- SHA512
  
  00dea71438fbb27c492f3201d64ae342864cae5e3672ad9504363577570b930e6e744c6785be2d675f9439d0de821c87dfca2fc41e84cffcde1dd7bbf9d35a8b
- SSDEEP
  
  768:NKm0ftIQVmYOn+QSkQqRp2iDg0vGcxZfznJNanLPE0BcOlh:cVftIQmSkR2iDYefXWM0BcOD
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm