vjw0rm | 9343e04859def1edc843bc315fe68b3e9af894c82d403bc2410247f542e1cfd7 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

LPO-17-006AD.js
Size

51KB
Sample

221205-k1m9yadg58
MD5

72223261b52503ff105d48cd259b57bb
SHA1

35bba466691abc491ca3a831a434b6c2fca5a086
SHA256

9343e04859def1edc843bc315fe68b3e9af894c82d403bc2410247f542e1cfd7
SHA512

0c8558b245dcc803d22f5de7be7e3bfb8e65904e606fff6676ccab64692183e152b6828d5d493c87f552fed421e610cfc50237b3307f1bac7fe11d5d7db34376
SSDEEP

1536:0AcjP620ZCqxJ5I7k9ILcmgK+g9XkSsSYBnP:0Vj2ZlxJ5KgKGP

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:2070

Targets

- Target
  
  LPO-17-006AD.js
- Size
  
  51KB
- MD5
  
  72223261b52503ff105d48cd259b57bb
- SHA1
  
  35bba466691abc491ca3a831a434b6c2fca5a086
- SHA256
  
  9343e04859def1edc843bc315fe68b3e9af894c82d403bc2410247f542e1cfd7
- SHA512
  
  0c8558b245dcc803d22f5de7be7e3bfb8e65904e606fff6676ccab64692183e152b6828d5d493c87f552fed421e610cfc50237b3307f1bac7fe11d5d7db34376
- SSDEEP
  
  1536:0AcjP620ZCqxJ5I7k9ILcmgK+g9XkSsSYBnP:0Vj2ZlxJ5KgKGP
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm