adwind | 230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7 | Triage

Sharing

General

Target

de80ddaf900379871f2bab20d64da027_JaffaCakes118
Size

646KB
Sample

241210-z1jdbayphv
MD5

de80ddaf900379871f2bab20d64da027
SHA1

22dbcdac16ba7ced8816a60040eb18a6246ae41a
SHA256

230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7
SHA512

ca997731ef7bb4db84bf1bbde7aff87520e52491ee85721351fd722421f05ac95795515c4d0d3620d77b9b106178a6c930d15d51333a54710ee3aec73a298ce5
SSDEEP

12288:1vRUyXewlgFEanFjj+SpBw6tFZmAT28Al/VFbdOXQW54O:1v/Xb6Djj+SpBwuFT28yLpSQWn

Score

10^/10

adwind wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://unknownsoft.duckdns.org:7755

Targets

- Target
  
  de80ddaf900379871f2bab20d64da027_JaffaCakes118
- Size
  
  646KB
- MD5
  
  de80ddaf900379871f2bab20d64da027
- SHA1
  
  22dbcdac16ba7ced8816a60040eb18a6246ae41a
- SHA256
  
  230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7
- SHA512
  
  ca997731ef7bb4db84bf1bbde7aff87520e52491ee85721351fd722421f05ac95795515c4d0d3620d77b9b106178a6c930d15d51333a54710ee3aec73a298ce5
- SSDEEP
  
  12288:1vRUyXewlgFEanFjj+SpBw6tFZmAT28Al/VFbdOXQW54O:1v/Xb6Djj+SpBwuFT28yLpSQWn
Score

10^/10

adwind wshrat execution persistence trojan
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Adwind family
  adwind
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Wshrat family
  wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

adwindwshratexecutionpersistencetrojan

behavioral2

adwindwshratexecutionpersistencetrojan