vjw0rm | 99d7b67e0d011b22fe3e491445fe0a6dab5e6999d8f7fb99ec505d434255d712

General

Target

4.js
Size

9KB
MD5

b5e34472d72474569a2332ce317f4cc1
SHA1

209017707d1e40faa9ec527e2128ef25de4b76ce
SHA256

99d7b67e0d011b22fe3e491445fe0a6dab5e6999d8f7fb99ec505d434255d712
SHA512

2d18a8be9a19fa77336d950c18257039f4fe5165c354aae253efba0509c72a879a6ccbf3ec2275345deeed39d31227ae95ff7c56fa1583919e715ad6f5ba0094

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exeWScript.exewscript.exe

flow pid process

7 3176 wscript.exe
13 2088 WScript.exe
18 1700 wscript.exe
20 1700 wscript.exe
21 1700 wscript.exe

flow	pid	process
7	3176	wscript.exe
13	2088	WScript.exe
18	1700	wscript.exe
20	1700	wscript.exe
21	1700	wscript.exe

Drops startup file 6 IoCs

Processes:

wscript.exewscript.exeWScript.exeWScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A84AXBNN6A.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EA347B7QRQ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EA347B7QRQ.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A84AXBNN6A.js	WScript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exeWScript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\I0ZIRGD8RJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\EA347B7QRQ.js\""	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1676 schtasks.exe
4088 schtasks.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe

flow	ioc
17	ip-api.com

pid	process
1676	schtasks.exe
4088	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	wscript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	20	WSHRAT\|A2C56C1C\|RJMQBVDN\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 7/7/2021\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|A2C56C1C\|RJMQBVDN\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 7/7/2021\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3176 wrote to memory of 1676	3176	wscript.exe	schtasks.exe
PID 3176 wrote to memory of 1676	3176	wscript.exe	schtasks.exe
PID 3176 wrote to memory of 2088	3176	wscript.exe	WScript.exe
PID 3176 wrote to memory of 2088	3176	wscript.exe	WScript.exe
PID 2088 wrote to memory of 4088	2088	WScript.exe	schtasks.exe
PID 2088 wrote to memory of 4088	2088	WScript.exe	schtasks.exe
PID 3176 wrote to memory of 3848	3176	wscript.exe	WScript.exe
PID 3176 wrote to memory of 3848	3176	wscript.exe	WScript.exe
PID 3848 wrote to memory of 1700	3848	WScript.exe	wscript.exe
PID 3848 wrote to memory of 1700	3848	WScript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\4.js
2⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js
3⤵
- Creates scheduled task(s)
PID:4088

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A84AXBNN6A.js"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\A84AXBNN6A.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A84AXBNN6A.js
MD5
6874d678e690727b4a78c048c4a52ce1

SHA1
b3da716221772dd30e68f38177295d6c8162d548

SHA256
b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

SHA512
d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js
MD5
1fcdabf0091e9b0c9688f3197749cc51

SHA1
758692234294f34d068477aef9b37389f9abb13b

SHA256
8676da33f9c52582e2759516dbd1d19e836edcc1132babf4839d81e6b3b08a07

SHA512
b484f33c7ea540c08e06d02742d925a4867af8b7046b028f81a4be53acc8290fcbd703704e3ae032cde449914acb5495244460749c9cf1fc08e1bbdc61233748

Download Submit
C:\Users\Admin\AppData\Roaming\A84AXBNN6A.js
MD5
6874d678e690727b4a78c048c4a52ce1

SHA1
b3da716221772dd30e68f38177295d6c8162d548

SHA256
b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

SHA512
d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A84AXBNN6A.js
MD5
6874d678e690727b4a78c048c4a52ce1

SHA1
b3da716221772dd30e68f38177295d6c8162d548

SHA256
b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

SHA512
d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

Download Submit
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1700-120-0x0000000000000000-mapping.dmp

Download
memory/2088-115-0x0000000000000000-mapping.dmp

Download
memory/3848-118-0x0000000000000000-mapping.dmp

Download
memory/4088-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads