vjw0rm | fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c

General

Target

Purchase Inquiry AS894 - SG633.js
Size

90KB
MD5

ef6bd6f33894ed4aa9dfd7b008fb3848
SHA1

f0d5020b90e63e67f8a37619f347c932d35cdd7a
SHA256

fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
SHA512

9452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab

Score

10^/10

vjw0rm wshrat persistence suricata trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://62.102.148.154:4044

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 57 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
9	1740	wscript.exe
10	972	wscript.exe
11	1088	wscript.exe
12	1088	wscript.exe
14	972	wscript.exe
15	1740	wscript.exe
17	1088	wscript.exe
19	972	wscript.exe
20	1740	wscript.exe
23	1088	wscript.exe
26	1088	wscript.exe
28	1740	wscript.exe
30	972	wscript.exe
31	1088	wscript.exe
35	1088	wscript.exe
38	1740	wscript.exe
39	972	wscript.exe
40	1088	wscript.exe
43	1740	wscript.exe
44	972	wscript.exe
46	1088	wscript.exe
50	1088	wscript.exe
52	972	wscript.exe
53	1740	wscript.exe
55	1088	wscript.exe
57	1740	wscript.exe
59	1088	wscript.exe
61	972	wscript.exe
63	1088	wscript.exe
66	1740	wscript.exe
67	972	wscript.exe
69	1088	wscript.exe
72	1088	wscript.exe
74	1740	wscript.exe
77	972	wscript.exe
78	1088	wscript.exe
80	1740	wscript.exe
82	972	wscript.exe
83	1088	wscript.exe
85	1088	wscript.exe
88	972	wscript.exe
90	1740	wscript.exe
94	1088	wscript.exe
95	1088	wscript.exe
97	972	wscript.exe
98	1740	wscript.exe
100	1088	wscript.exe
103	972	wscript.exe
105	1740	wscript.exe
107	1088	wscript.exe
108	1088	wscript.exe
110	1740	wscript.exe
112	972	wscript.exe
115	1088	wscript.exe
118	972	wscript.exe
120	1740	wscript.exe
122	1088	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js	wscript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\atmsLTFoCr.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\atmsLTFoCr.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	59	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	94	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	11	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	12	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	17	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	26	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	35	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	50	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	100	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	107	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	31	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	55	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	83	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	122	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	23	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	108	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	115	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	85	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	95	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	40	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	46	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	63	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	69	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	72	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript
HTTP User-Agent header	78	WSHRAT\|D81A57AE\|TBHNEBSE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/6/2022\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1296 wrote to memory of 972	1296	wscript.exe	wscript.exe
PID 1296 wrote to memory of 972	1296	wscript.exe	wscript.exe
PID 1296 wrote to memory of 972	1296	wscript.exe	wscript.exe
PID 1296 wrote to memory of 1088	1296	wscript.exe	wscript.exe
PID 1296 wrote to memory of 1088	1296	wscript.exe	wscript.exe
PID 1296 wrote to memory of 1088	1296	wscript.exe	wscript.exe
PID 1088 wrote to memory of 1740	1088	wscript.exe	wscript.exe
PID 1088 wrote to memory of 1740	1088	wscript.exe	wscript.exe
PID 1088 wrote to memory of 1740	1088	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry AS894 - SG633.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:972

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js
Filesize
90KB

MD5
ef6bd6f33894ed4aa9dfd7b008fb3848

SHA1
f0d5020b90e63e67f8a37619f347c932d35cdd7a

SHA256
fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c

SHA512
9452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js
Filesize
24KB

MD5
9ee8cc5691721deb7ab96277349ecd7b

SHA1
ccd5c1da84effb50a657fea77d556a737739f1ae

SHA256
03c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505

SHA512
ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64

Download Submit
C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.js
Filesize
90KB

MD5
ef6bd6f33894ed4aa9dfd7b008fb3848

SHA1
f0d5020b90e63e67f8a37619f347c932d35cdd7a

SHA256
fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c

SHA512
9452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js
Filesize
24KB

MD5
9ee8cc5691721deb7ab96277349ecd7b

SHA1
ccd5c1da84effb50a657fea77d556a737739f1ae

SHA256
03c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505

SHA512
ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64

Download Submit
C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js
Filesize
24KB

MD5
9ee8cc5691721deb7ab96277349ecd7b

SHA1
ccd5c1da84effb50a657fea77d556a737739f1ae

SHA256
03c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505

SHA512
ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64

Download Submit
memory/972-55-0x0000000000000000-mapping.dmp

Download
memory/1088-57-0x0000000000000000-mapping.dmp

Download
memory/1296-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1740-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads