vjw0rm

General

Target

8487327083.zip
Size

169KB
Sample

221129-lh3gksff94
MD5

58116e27b75ed0549ab87f6216e2a953
SHA1

2354de0ed15818a5999ff2662e06d3979797b17c
SHA256

fe18a09be16b7490b0ee0f7445b9fe20d2b5ec602aacd06fc8a86c087252615c
SHA512

97b45073ab6124b137ae58af761a8635c097aa07a0943542d14e63e7c559b8fe71b57ab2d8d0b62eaa1c92c1ecf0ae587f1d7f750514de8829cdb6a548f938ba
SSDEEP

3072:gJiFwcQca2aJqz9uac2u4HHmjXq3e8FJRA9JZGCz3Nuhx3vUW838N3pdQzY9NPn:g4wJ2/uqni63RJRSrGY38/UW83Ap8cZ

Score

10^/10

Malware Config

Extracted

Family

wshrat

C2

http://grace-fax.home-webserver.de:24150

Targets

- Target
  
  2f58ae06e3c0fb739151eee6ba8da55e09bfa61dc06d820bea7e184f2b560586
- Size
  
  6.0MB
- MD5
  
  8c2c56c69e745d5b7ce123b694870826
- SHA1
  
  38e7e8c34b80a87920461534a02f66b6c5b16f99
- SHA256
  
  2f58ae06e3c0fb739151eee6ba8da55e09bfa61dc06d820bea7e184f2b560586
- SHA512
  
  0a37007907dee0880abe48645af8cef5831ba03a03c33dca662f7a302db2e1af3ba2811096a0b5fbb7956fadc33b60f0fdbd97814cd34e0369e409f52dda89e6
- SSDEEP
  
  3072:CzsF5ejqKQKWGeIzuyR/I2MWJcsVfeaWYRfzbpdCltDvuLTrPFztzI0utitb0k2l:7FhGruytJQYRfRguLpt0ZtcVsCV+6
Score

3^/10
behavioral1 behavioral2
- Target
  
  out.vhd
- Size
  
  6.0MB
- MD5
  
  8c2c56c69e745d5b7ce123b694870826
- SHA1
  
  38e7e8c34b80a87920461534a02f66b6c5b16f99
- SHA256
  
  2f58ae06e3c0fb739151eee6ba8da55e09bfa61dc06d820bea7e184f2b560586
- SHA512
  
  0a37007907dee0880abe48645af8cef5831ba03a03c33dca662f7a302db2e1af3ba2811096a0b5fbb7956fadc33b60f0fdbd97814cd34e0369e409f52dda89e6
- SSDEEP
  
  3072:CzsF5ejqKQKWGeIzuyR/I2MWJcsVfeaWYRfzbpdCltDvuLTrPFztzI0utitb0k2l:7FhGruytJQYRfRguLpt0ZtcVsCV+6
Score

1^/10
behavioral3 behavioral4
- Target
  
  Order-Inquiry-020-10-28-22.js
- Size
  
  257KB
- MD5
  
  144bc81f1a91e281159dd7e51ebe682c
- SHA1
  
  3eeaa18af60d63898787411867c0cf26e760658e
- SHA256
  
  ebb80911d7d1b734fdafbf50f11b3cdf127a7a94a21201984d47b0bb6d47ca33
- SHA512
  
  a19701cb690b457acc9925a31e44c6f5d0c09f5bb939a7158d5e29f3d2757c252766271f9e5a5886550f4eed29c133c3b12d4313d4192198994eaf0012f6bbe2
- SSDEEP
  
  3072:nzsF5ejqKQKWGeIzuyR/I2MWJcsVfeaWYRfzbpdCltDvuLTrPFztzI0utitb0k2j:4FhGruytJQYRfRguLpt0ZtcVsCV+6E
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6