Overview

overview

10

Static

static

E-receipt ...222.js

windows7_x64

10

E-receipt ...222.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-06-2022 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-receipt #8992-WSH-276020222.js

  • Size

    37KB

  • MD5

    85f9be3cfbb0cebf7a3f87530dce3297

  • SHA1

    af0fe8f3ef7d964ddbe723106e54244d92b2f5e6

  • SHA256

    7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940

  • SHA512

    c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84

Score
10/10
vjw0rmwshratpersistencesuricatatrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://37.0.8.115:8992

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata
  • Blocklisted process makes network request 62 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 30 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\E-receipt #8992-WSH-276020222.js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4036
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\E-receipt #8992-WSH-276020222.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\E-receipt #8992-WSH-276020222.js
    Filesize

    37KB

    MD5

    85f9be3cfbb0cebf7a3f87530dce3297

    SHA1

    af0fe8f3ef7d964ddbe723106e54244d92b2f5e6

    SHA256

    7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940

    SHA512

    c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.js
    Filesize

    37KB

    MD5

    85f9be3cfbb0cebf7a3f87530dce3297

    SHA1

    af0fe8f3ef7d964ddbe723106e54244d92b2f5e6

    SHA256

    7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940

    SHA512

    c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js
    Filesize

    5KB

    MD5

    47b99c09efd9460d6ca76d2a8075ab2a

    SHA1

    b7c04a21fe1ef56a955b939070b3b06bf11a1f1f

    SHA256

    64c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45

    SHA512

    04adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe

    Download Submit
  • C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js
    Filesize

    5KB

    MD5

    47b99c09efd9460d6ca76d2a8075ab2a

    SHA1

    b7c04a21fe1ef56a955b939070b3b06bf11a1f1f

    SHA256

    64c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45

    SHA512

    04adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe

    Download Submit
  • C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js
    Filesize

    5KB

    MD5

    47b99c09efd9460d6ca76d2a8075ab2a

    SHA1

    b7c04a21fe1ef56a955b939070b3b06bf11a1f1f

    SHA256

    64c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45

    SHA512

    04adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe

    Download Submit
  • memory/756-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4036-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4792-135-0x0000000000000000-mapping.dmp
    Download