vjw0rm | 1091d4d6fdd409a307b9bf322c7464687200f891f1ec6f76feb5430c6bfc38f5 | Triage

Sharing

General

Target

Order EMFA Elektrik.PDF.js
Size

50KB
Sample

221206-rmav1sef54
MD5

010e12de339f3e0229c8d981133d9590
SHA1

6b4801ade8d1e043cc7da2c41d9fe06a8b6bc546
SHA256

1091d4d6fdd409a307b9bf322c7464687200f891f1ec6f76feb5430c6bfc38f5
SHA512

34873addf8b9880bb78ce0598202b19a826b65dea757570bff5d0af3f9765bfdfce285f988ae392e984e8c9f7f8d1618f1805b50fd09fc5dc416b4b98d2f6c8c
SSDEEP

1536:0A5RU5DtHzqLH5l7shkTtDbJHye7cyfrva8sQOi:0uKPHWLH51sUt/JHyoxblss

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Targets

- Target
  
  Order EMFA Elektrik.PDF.js
- Size
  
  50KB
- MD5
  
  010e12de339f3e0229c8d981133d9590
- SHA1
  
  6b4801ade8d1e043cc7da2c41d9fe06a8b6bc546
- SHA256
  
  1091d4d6fdd409a307b9bf322c7464687200f891f1ec6f76feb5430c6bfc38f5
- SHA512
  
  34873addf8b9880bb78ce0598202b19a826b65dea757570bff5d0af3f9765bfdfce285f988ae392e984e8c9f7f8d1618f1805b50fd09fc5dc416b4b98d2f6c8c
- SSDEEP
  
  1536:0A5RU5DtHzqLH5l7shkTtDbJHye7cyfrva8sQOi:0uKPHWLH51sUt/JHyoxblss
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm