vjw0rm | 7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d

General

Target

INTERAC Service Request9466544665440.js
Size

3KB
MD5

38ecf70cf09d8c499546c01c028dd70f
SHA1

d4d57eeb688d2abe1eeae5b0dc142d588246648b
SHA256

7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d
SHA512

bd92d0a81b6c9b553d11ace0f680f677a727de965703205955c92650ed43fe68f593b228e62d90acafc53e34864e4715eebd877808e2b160ee1d3dfeaf9462bc

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://jswormpeople.duckdns.org:1921

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.js	family_wshrat
C:\Users\Admin\AppData\Roaming\SMHT76PIZC.js	family_wshrat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js	family_wshrat

Blocklisted process makes network request 25 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
5	1272	wscript.exe
8	1556	wscript.exe
10	1556	wscript.exe
11	1556	wscript.exe
12	1556	wscript.exe
14	1556	wscript.exe
15	1556	wscript.exe
16	1556	wscript.exe
18	1556	wscript.exe
19	1556	wscript.exe
20	1556	wscript.exe
22	1556	wscript.exe
23	1556	wscript.exe
24	1556	wscript.exe
26	1556	wscript.exe
27	1556	wscript.exe
28	1556	wscript.exe
30	1556	wscript.exe
31	1556	wscript.exe
32	1556	wscript.exe
34	1556	wscript.exe
35	1556	wscript.exe
36	1556	wscript.exe
38	1556	wscript.exe
39	1556	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exeWScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js	WScript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\K3A8F1X622 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INTERAC Service Request9466544665440.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

572 schtasks.exe

flow	ioc
7	ip-api.com

pid	process
572	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exeWScript.exe

description	pid	process	target process
PID 1272 wrote to memory of 572	1272	wscript.exe	schtasks.exe
PID 1272 wrote to memory of 572	1272	wscript.exe	schtasks.exe
PID 1272 wrote to memory of 572	1272	wscript.exe	schtasks.exe
PID 1272 wrote to memory of 1588	1272	wscript.exe	WScript.exe
PID 1272 wrote to memory of 1588	1272	wscript.exe	WScript.exe
PID 1272 wrote to memory of 1588	1272	wscript.exe	WScript.exe
PID 1588 wrote to memory of 1556	1588	WScript.exe	wscript.exe
PID 1588 wrote to memory of 1556	1588	WScript.exe	wscript.exe
PID 1588 wrote to memory of 1556	1588	WScript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js
2⤵
- Creates scheduled task(s)
PID:572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.js"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SMHT76PIZC.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.js
MD5
e4df266d9763db8663d812ae59e7270a

SHA1
375f6f2f16db35bda5290b537da15d30da66609d

SHA256
d02f604013705f3784a0a278e77b533612e00dd3fa95770b46bfe897777eb9fd

SHA512
901e5d5fc83d15f0106b634ca78e3417a461d8b4d796daccaa963778c8db7f4ac030a5236d8f7f5a7ac7738fb9100496fc1ca2b630bd25d86f1f5a25f0ea69b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js
MD5
e4df266d9763db8663d812ae59e7270a

SHA1
375f6f2f16db35bda5290b537da15d30da66609d

SHA256
d02f604013705f3784a0a278e77b533612e00dd3fa95770b46bfe897777eb9fd

SHA512
901e5d5fc83d15f0106b634ca78e3417a461d8b4d796daccaa963778c8db7f4ac030a5236d8f7f5a7ac7738fb9100496fc1ca2b630bd25d86f1f5a25f0ea69b0

Download Submit
C:\Users\Admin\AppData\Roaming\SMHT76PIZC.js
MD5
e4df266d9763db8663d812ae59e7270a

SHA1
375f6f2f16db35bda5290b537da15d30da66609d

SHA256
d02f604013705f3784a0a278e77b533612e00dd3fa95770b46bfe897777eb9fd

SHA512
901e5d5fc83d15f0106b634ca78e3417a461d8b4d796daccaa963778c8db7f4ac030a5236d8f7f5a7ac7738fb9100496fc1ca2b630bd25d86f1f5a25f0ea69b0

Download Submit
memory/572-54-0x0000000000000000-mapping.dmp

Download
memory/1272-53-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1556-58-0x0000000000000000-mapping.dmp

Download
memory/1588-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads