Malware Analysis Report

2025-04-14 08:27

Sample ID 210927-jx7nqsfhhn
Target #RS00HNAWZ1.iso
SHA256 2507f3526d4419945b1091542eeca79de74602e5cea24b14492fe14be66d7ab5
Tags
vjw0rm wshrat persistence suricata trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2507f3526d4419945b1091542eeca79de74602e5cea24b14492fe14be66d7ab5

Threat Level: Known bad

The file #RS00HNAWZ1.iso was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence suricata trojan worm

WSHRAT

suricata: ET MALWARE WSHRAT CnC Checkin

Vjw0rm

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Creates scheduled task(s)

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-27 08:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-27 08:03

Reported

2021-09-27 08:06

Platform

win7-en-20210920

Max time kernel

157s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S55OMESZ0S.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#RS00HNAWZ1.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#RS00HNAWZ1.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L52ZDTVG87.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L52ZDTVG87.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S55OMESZ0S.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\G3VX00GAKU = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#RS00HNAWZ1.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 1300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 1464 wrote to memory of 1300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 1464 wrote to memory of 1300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 1464 wrote to memory of 1160 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1464 wrote to memory of 1160 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1464 wrote to memory of 1160 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1160 wrote to memory of 1692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1160 wrote to memory of 1692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1160 wrote to memory of 1692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1464 wrote to memory of 1500 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1464 wrote to memory of 1500 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1464 wrote to memory of 1500 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1500 wrote to memory of 392 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1500 wrote to memory of 392 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1500 wrote to memory of 392 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\L52ZDTVG87.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\L52ZDTVG87.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\S55OMESZ0S.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\S55OMESZ0S.js"

Network

Country Destination Domain Proto
US 40.121.49.138:8024 40.121.49.138 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 wwsh427.duckdns.org udp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 wwsh427.duckdns.org tcp
US 40.121.133.173:8904 tcp

Files

memory/1300-54-0x0000000000000000-mapping.dmp

memory/1160-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\L52ZDTVG87.js

MD5 2471491441a6ab34e7647dca6014d354
SHA1 be879fe6e18938b59642490e53030f4d457d3f1a
SHA256 34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
SHA512 7f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb

memory/1692-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\L52ZDTVG87.js

MD5 2471491441a6ab34e7647dca6014d354
SHA1 be879fe6e18938b59642490e53030f4d457d3f1a
SHA256 34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
SHA512 7f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L52ZDTVG87.js

MD5 2471491441a6ab34e7647dca6014d354
SHA1 be879fe6e18938b59642490e53030f4d457d3f1a
SHA256 34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
SHA512 7f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb

memory/1500-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\S55OMESZ0S.js

MD5 89163b043aec880959009669fc474944
SHA1 3b7c55c3a4c6f4711d426dc27fb8a17e11af3de8
SHA256 45bfabe4a6881d0321bac8905924576300aa5e20d502840e9196f5ca5fcf8836
SHA512 eeb0074471e34becabb94c6ebcf3be3c31f47bbaba8dd9a38fef10c44af16cd08a5fc5bcbd970c1110ed53b409fa90b053e2987298ca0839fc0bed4ebbb654ae

memory/392-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\S55OMESZ0S.js

MD5 89163b043aec880959009669fc474944
SHA1 3b7c55c3a4c6f4711d426dc27fb8a17e11af3de8
SHA256 45bfabe4a6881d0321bac8905924576300aa5e20d502840e9196f5ca5fcf8836
SHA512 eeb0074471e34becabb94c6ebcf3be3c31f47bbaba8dd9a38fef10c44af16cd08a5fc5bcbd970c1110ed53b409fa90b053e2987298ca0839fc0bed4ebbb654ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S55OMESZ0S.js

MD5 e55f392b5fe43f0c1dca9f37fcc1e9d8
SHA1 80cfe0b80d3481b406b40c4c2c32ef0f18a57255
SHA256 2e39f4e6d43085989089d29c455a33f9a0d605bd05e2fae1ec1f86ad4309740a
SHA512 575a3f2160f46bb7ad9444d7c0e044409b2e536d7a33a3d6718ad27cacfee43e30883b0693e3cb92c230c525ffccfa76cda1425da322ca04239f5131fdd74dc6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K8CH4PHC\json[1].json

MD5 149c2823b7eadbfb0a82388a2ab9494f
SHA1 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA256 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512 f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-27 08:03

Reported

2021-09-27 08:09

Platform

win10v20210408

Max time kernel

111s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#RS00HNAWZ1.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#RS00HNAWZ1.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\G3VX00GAKU = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#RS00HNAWZ1.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1136 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 856 wrote to memory of 1136 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js

Network

Country Destination Domain Proto
US 40.121.49.138:8024 40.121.49.138 tcp

Files

memory/1136-114-0x0000000000000000-mapping.dmp