vjw0rm | f5bd9e703f4bc5d6e39b44059fd8f6d3cba2f1539a95e5b0f8b4d4ea418c1f02

General

Target

Purchase Inquiry AS894 - SG633.js
Size

90KB
MD5

4053e7f0fe576d067a0051229dab1ebc
SHA1

0b32eccac1da9a09fea04d6763b8b4b467a308fb
SHA256

f5bd9e703f4bc5d6e39b44059fd8f6d3cba2f1539a95e5b0f8b4d4ea418c1f02
SHA512

f541b75744b7b59d513ff26d76e125777c9b1e16304e3d52465c75157941a38c5967c186e5c4edbe326c3ddfc433ee4518830a369094bcd5ac422f3091cbd0c7

Score

10^/10

vjw0rm wshrat persistence suricata trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://62.102.148.154:4044

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 56 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
9	964	wscript.exe
10	948	wscript.exe
11	1680	wscript.exe
12	1680	wscript.exe
14	964	wscript.exe
15	948	wscript.exe
17	1680	wscript.exe
19	1680	wscript.exe
21	964	wscript.exe
23	948	wscript.exe
26	1680	wscript.exe
28	948	wscript.exe
30	964	wscript.exe
32	1680	wscript.exe
35	1680	wscript.exe
38	948	wscript.exe
39	964	wscript.exe
41	1680	wscript.exe
42	1680	wscript.exe
45	964	wscript.exe
46	948	wscript.exe
51	1680	wscript.exe
53	1680	wscript.exe
55	948	wscript.exe
56	964	wscript.exe
57	1680	wscript.exe
61	948	wscript.exe
62	964	wscript.exe
63	1680	wscript.exe
65	1680	wscript.exe
68	948	wscript.exe
69	964	wscript.exe
73	1680	wscript.exe
76	1680	wscript.exe
77	948	wscript.exe
79	964	wscript.exe
80	1680	wscript.exe
82	964	wscript.exe
84	948	wscript.exe
86	1680	wscript.exe
89	1680	wscript.exe
90	964	wscript.exe
92	948	wscript.exe
95	1680	wscript.exe
98	1680	wscript.exe
101	964	wscript.exe
102	948	wscript.exe
103	1680	wscript.exe
105	948	wscript.exe
107	964	wscript.exe
108	1680	wscript.exe
110	1680	wscript.exe
113	948	wscript.exe
114	964	wscript.exe
115	1680	wscript.exe
119	1680	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQYWLmlqet.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQYWLmlqet.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQYWLmlqet.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js	wscript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PQYWLmlqet.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PQYWLmlqet.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	11	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	35	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	42	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	73	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	86	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	108	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	110	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	103	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	19	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	26	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	51	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	53	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	63	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	65	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	98	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	115	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	12	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	17	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	32	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	95	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	41	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	57	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	76	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	80	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	89	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1992 wrote to memory of 948	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 948	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 948	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 1680	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 1680	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 1680	1992	wscript.exe	wscript.exe
PID 1680 wrote to memory of 964	1680	wscript.exe	wscript.exe
PID 1680 wrote to memory of 964	1680	wscript.exe	wscript.exe
PID 1680 wrote to memory of 964	1680	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry AS894 - SG633.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PQYWLmlqet.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:948

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PQYWLmlqet.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQYWLmlqet.js
Filesize
24KB

MD5
1c00b4b46a6daa4423ec4319f72a2357

SHA1
e3ffba905bd0e824e0ad12c00bca1e011f872097

SHA256
7a6661d7f145fddefafe540e35c76842e54cf98f87b3e27d18813b955b2dd23e

SHA512
3d09dd2dcc6cb4b4860521ee84a4b67e93fd288e3dfa3d1d733ee4fd3d7543af0a3ebee5cef8071383683363d33a02a6c0dafc98d0d30508e350636d2a445be6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js
Filesize
90KB

MD5
4053e7f0fe576d067a0051229dab1ebc

SHA1
0b32eccac1da9a09fea04d6763b8b4b467a308fb

SHA256
f5bd9e703f4bc5d6e39b44059fd8f6d3cba2f1539a95e5b0f8b4d4ea418c1f02

SHA512
f541b75744b7b59d513ff26d76e125777c9b1e16304e3d52465c75157941a38c5967c186e5c4edbe326c3ddfc433ee4518830a369094bcd5ac422f3091cbd0c7

Download Submit
C:\Users\Admin\AppData\Roaming\PQYWLmlqet.js
Filesize
24KB

MD5
1c00b4b46a6daa4423ec4319f72a2357

SHA1
e3ffba905bd0e824e0ad12c00bca1e011f872097

SHA256
7a6661d7f145fddefafe540e35c76842e54cf98f87b3e27d18813b955b2dd23e

SHA512
3d09dd2dcc6cb4b4860521ee84a4b67e93fd288e3dfa3d1d733ee4fd3d7543af0a3ebee5cef8071383683363d33a02a6c0dafc98d0d30508e350636d2a445be6

Download Submit
C:\Users\Admin\AppData\Roaming\PQYWLmlqet.js
Filesize
24KB

MD5
1c00b4b46a6daa4423ec4319f72a2357

SHA1
e3ffba905bd0e824e0ad12c00bca1e011f872097

SHA256
7a6661d7f145fddefafe540e35c76842e54cf98f87b3e27d18813b955b2dd23e

SHA512
3d09dd2dcc6cb4b4860521ee84a4b67e93fd288e3dfa3d1d733ee4fd3d7543af0a3ebee5cef8071383683363d33a02a6c0dafc98d0d30508e350636d2a445be6

Download Submit
C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.js
Filesize
90KB

MD5
4053e7f0fe576d067a0051229dab1ebc

SHA1
0b32eccac1da9a09fea04d6763b8b4b467a308fb

SHA256
f5bd9e703f4bc5d6e39b44059fd8f6d3cba2f1539a95e5b0f8b4d4ea418c1f02

SHA512
f541b75744b7b59d513ff26d76e125777c9b1e16304e3d52465c75157941a38c5967c186e5c4edbe326c3ddfc433ee4518830a369094bcd5ac422f3091cbd0c7

Download Submit
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads