Overview

overview

10

Static

static

SIUCI ORDER.js

windows7-x64

10

SIUCI ORDER.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2022 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SIUCI ORDER.js

  • Size

    38KB

  • MD5

    0aacaf9bf1e78783b3e509986061f7e2

  • SHA1

    f9e45bbbd3a6f06472d99e0422b2a749c3b2ff67

  • SHA256

    484410bc273d5c56528ebc42e0ae23e5b3af00a56a5abf6c66ac3df5d80b62e9

  • SHA512

    58eabe5da6b6b83c2640a1827e69fb8007cc4b08dddab97a726c990d05850204a770e47168b26f5c74c9231f2739b338a66b363a1a9630e1791fd8d15b802293

  • SSDEEP

    384:MS8D/T5zKRkowoXxlgYj+grrvtbzUSbJsiXYhRCBvMki6s8emZGoD45uyrtDGrM3:eDx0NFXku+aCp606su45Nt9QnY5qzC

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://goods.camdvr.org:2888

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 57 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 25 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\SIUCI ORDER.js"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NWVXVgmjNy.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1492
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SIUCI ORDER.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NWVXVgmjNy.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NWVXVgmjNy.js
    Filesize

    5KB

    MD5

    dbc70d6189c016294324160a3aae590c

    SHA1

    34cc078ad2e4ed26e70b8d61b1abf8df62f64800

    SHA256

    e2c2384c338bd09861a8400b3d717dacdb383ed4d2b06cad0e0cc3cf32b0fe98

    SHA512

    ca01dcf3cadf2b2731f45f71d6eafdc6258c2f898db819a0cc34da45835e497b0b922c88f6b16b21775a3d7feba05f497fe7eea31d946896b266f029f1fd92b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIUCI ORDER.js
    Filesize

    38KB

    MD5

    0aacaf9bf1e78783b3e509986061f7e2

    SHA1

    f9e45bbbd3a6f06472d99e0422b2a749c3b2ff67

    SHA256

    484410bc273d5c56528ebc42e0ae23e5b3af00a56a5abf6c66ac3df5d80b62e9

    SHA512

    58eabe5da6b6b83c2640a1827e69fb8007cc4b08dddab97a726c990d05850204a770e47168b26f5c74c9231f2739b338a66b363a1a9630e1791fd8d15b802293

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NWVXVgmjNy.js
    Filesize

    5KB

    MD5

    dbc70d6189c016294324160a3aae590c

    SHA1

    34cc078ad2e4ed26e70b8d61b1abf8df62f64800

    SHA256

    e2c2384c338bd09861a8400b3d717dacdb383ed4d2b06cad0e0cc3cf32b0fe98

    SHA512

    ca01dcf3cadf2b2731f45f71d6eafdc6258c2f898db819a0cc34da45835e497b0b922c88f6b16b21775a3d7feba05f497fe7eea31d946896b266f029f1fd92b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NWVXVgmjNy.js
    Filesize

    5KB

    MD5

    dbc70d6189c016294324160a3aae590c

    SHA1

    34cc078ad2e4ed26e70b8d61b1abf8df62f64800

    SHA256

    e2c2384c338bd09861a8400b3d717dacdb383ed4d2b06cad0e0cc3cf32b0fe98

    SHA512

    ca01dcf3cadf2b2731f45f71d6eafdc6258c2f898db819a0cc34da45835e497b0b922c88f6b16b21775a3d7feba05f497fe7eea31d946896b266f029f1fd92b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SIUCI ORDER.js
    Filesize

    38KB

    MD5

    0aacaf9bf1e78783b3e509986061f7e2

    SHA1

    f9e45bbbd3a6f06472d99e0422b2a749c3b2ff67

    SHA256

    484410bc273d5c56528ebc42e0ae23e5b3af00a56a5abf6c66ac3df5d80b62e9

    SHA512

    58eabe5da6b6b83c2640a1827e69fb8007cc4b08dddab97a726c990d05850204a770e47168b26f5c74c9231f2739b338a66b363a1a9630e1791fd8d15b802293

    Download Submit

  • memory/1096-54-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

    Filesize

    8KB

    Download