vjw0rm | 3c286cb424581637fb85ea9fe88579e0b34421cd4c463183e500df3c29135a3f | Triage

Sharing

General

Target

42a42d7b66691e3fff3e691d70703ce5.bin
Size

732KB
Sample

230411-bdbsysbb6w
MD5

df79efd702c3f5a80395433ca4673790
SHA1

568d49eef812a442f41351bb852081523158263a
SHA256

3c286cb424581637fb85ea9fe88579e0b34421cd4c463183e500df3c29135a3f
SHA512

61a073b86a27fb27ea3b0195845b87a9b0b9cfdfdbaf9bb9724bf77fbbb58ea77e12985a71878c293b443a92138f29d738f021fb2c930ff9e940743c2f78f957
SSDEEP

12288:hzWcTswBWgflBpbcjP3LXkkkUzrZ6lE5QWPzkw/YTkuhMCgnZAhe1E4kSgWpqS:h4w9flBpIbbkk/zV6lWQWPzbATACs+SR

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://graceland.dns05.com:2048

Targets

- Target
  
  3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js
- Size
  
  2.7MB
- MD5
  
  42a42d7b66691e3fff3e691d70703ce5
- SHA1
  
  9e57f573570d068b964c84b5d7cdbf1fb010e3d9
- SHA256
  
  3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
- SHA512
  
  bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
- SSDEEP
  
  24576:ydSySTD8C4AeGIfkZP5Xog8NWtQVNmxE/imwx+pBUqyO57ZPUm:nnuLh
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm