General

  • Target

    ShippingDetails.js

  • Size

    4.6MB

  • Sample

    230605-swa3tahh81

  • MD5

    e8150ba03200183abce718f6b028b2c3

  • SHA1

    606491a54f6dc244fc533317a0f936b818de9a4c

  • SHA256

    3f3ee13d1a86d8f63c3c730556cfcff2a1f8d22980fdc001b5240ce7315dcd23

  • SHA512

    4aa7fd5b696933155143f66a54785c48ff368bb6fbf7f5afcc24ababd2436c31b0d847f32b3d66888867f179a34dd9284a9c9a8f54f3f96ea23601804bafacb5

  • SSDEEP

    24576:p5K1gGMDzG6PbjQ46Te9iEQokfhrC/SwzkfHGi9xM7LHyG9XqUrQdAtzkTGCJTrK:G3Fmv

Malware Config

Extracted

Family

wshrat

C2

http://139.177.146.165:4848

Targets

    • Target

      ShippingDetails.js

    • Size

      4.6MB

    • MD5

      e8150ba03200183abce718f6b028b2c3

    • SHA1

      606491a54f6dc244fc533317a0f936b818de9a4c

    • SHA256

      3f3ee13d1a86d8f63c3c730556cfcff2a1f8d22980fdc001b5240ce7315dcd23

    • SHA512

      4aa7fd5b696933155143f66a54785c48ff368bb6fbf7f5afcc24ababd2436c31b0d847f32b3d66888867f179a34dd9284a9c9a8f54f3f96ea23601804bafacb5

    • SSDEEP

      24576:p5K1gGMDzG6PbjQ46Te9iEQokfhrC/SwzkfHGi9xM7LHyG9XqUrQdAtzkTGCJTrK:G3Fmv

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks