vjw0rm | fb578011fca33b512fe0f1b92cc192e57fee479a40a53e981ec61ab220b0922d | Triage

Sharing

General

Target

HK SEMI CORPORATION CO,,Ltd.js
Size

3.5MB
Sample

230215-shbr7acd32
MD5

fb91a4c36c78fec96b1aef40d2d59c5f
SHA1

6f80bcc9f8485e7486fc716c47e1f611d688649c
SHA256

fb578011fca33b512fe0f1b92cc192e57fee479a40a53e981ec61ab220b0922d
SHA512

77fd763cb36519248f72a9f821bd421733099e47510d508644cb616e8c321c9b9d7aaffe86f1da8c0023a90230263e32c62b73efe5ed31a304ab7d043820d38a
SSDEEP

6144:DDvsgmpFYY2BrelpSK0XjJr0JS3ZgFt6r6ZpT:DD7Yvt

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Targets

- Target
  
  HK SEMI CORPORATION CO,,Ltd.js
- Size
  
  3.5MB
- MD5
  
  fb91a4c36c78fec96b1aef40d2d59c5f
- SHA1
  
  6f80bcc9f8485e7486fc716c47e1f611d688649c
- SHA256
  
  fb578011fca33b512fe0f1b92cc192e57fee479a40a53e981ec61ab220b0922d
- SHA512
  
  77fd763cb36519248f72a9f821bd421733099e47510d508644cb616e8c321c9b9d7aaffe86f1da8c0023a90230263e32c62b73efe5ed31a304ab7d043820d38a
- SSDEEP
  
  6144:DDvsgmpFYY2BrelpSK0XjJr0JS3ZgFt6r6ZpT:DD7Yvt
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm