Overview

overview

10

Static

static

Proof of Payment.js

windows7-x64

10

Proof of Payment.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Proof of Payment.js

  • Size

    429KB

  • Sample

    221215-j2p99abh77

  • MD5

    019687721f2294d4bdc0e820b8e1c05d

  • SHA1

    4aa96ea352ce89cebbf662cb83cdd5676fa86a21

  • SHA256

    bfcdf288d8a45d170910b4cd04d811f2afe6d9bf9ff3eab8d250cde2eeb70a3a

  • SHA512

    738c8295188477b8fbda8a6d19817b835aafc8dac8a9501fec53c4bcd0a758fefa8b369e6679d7b597ef4067b6c13a9c05bfb82a19ce614879da3e2260d49f83

  • SSDEEP

    3072:tpZFqXDp3Xjehwn+9eKa5VGzcK7GbOlkFPPcG58MMDzMHKyC3kMFdMWnKzMhfinQ:tW9XjeSn+0kunSF0L0

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://185.246.220.208:5358

Targets

    • Target

      Proof of Payment.js

    • Size

      429KB

    • MD5

      019687721f2294d4bdc0e820b8e1c05d

    • SHA1

      4aa96ea352ce89cebbf662cb83cdd5676fa86a21

    • SHA256

      bfcdf288d8a45d170910b4cd04d811f2afe6d9bf9ff3eab8d250cde2eeb70a3a

    • SHA512

      738c8295188477b8fbda8a6d19817b835aafc8dac8a9501fec53c4bcd0a758fefa8b369e6679d7b597ef4067b6c13a9c05bfb82a19ce614879da3e2260d49f83

    • SSDEEP

      3072:tpZFqXDp3Xjehwn+9eKa5VGzcK7GbOlkFPPcG58MMDzMHKyC3kMFdMWnKzMhfinQ:tW9XjeSn+0kunSF0L0

    Score
    10/10
    vjw0rmwshratpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks