Overview

overview

10

Static

static

COMPLAINT.pdf.js

windows7-x64

10

COMPLAINT.pdf.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2022, 09:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    COMPLAINT.pdf.js

  • Size

    46KB

  • MD5

    56d85e623a701f4142a111275fbbc4f5

  • SHA1

    51a35029e972c33d4ca4b835f00ab3a5a0469b9b

  • SHA256

    9f6e297dd86de88825487549c0f25f02c10138b57b1b955034995615c58a13d2

  • SHA512

    a75b846f4e8c1880f925ab295e972cf2f5aeb14f48bb6b849432853d4d1d487535f3632388fb5033b61570f8eda59d7623d0cf02f99a7d8dbccedd2e4c79956e

  • SSDEEP

    768:7Vn42jDFXsoL7DkiZNsS83FmspAlaxuZDdiovlA2kBqV160Sa0mBSSLtdG:7Vn3jOK7DjZTyBil2wDdiovS660SakSi

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://niiarmah.kozow.com:1604

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 40 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 28 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\COMPLAINT.pdf.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SShWrokJru.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1036
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\COMPLAINT.pdf.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3324
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SShWrokJru.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1212

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\COMPLAINT.pdf.js
          Filesize

          46KB

          MD5

          56d85e623a701f4142a111275fbbc4f5

          SHA1

          51a35029e972c33d4ca4b835f00ab3a5a0469b9b

          SHA256

          9f6e297dd86de88825487549c0f25f02c10138b57b1b955034995615c58a13d2

          SHA512

          a75b846f4e8c1880f925ab295e972cf2f5aeb14f48bb6b849432853d4d1d487535f3632388fb5033b61570f8eda59d7623d0cf02f99a7d8dbccedd2e4c79956e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COMPLAINT.pdf.js
          Filesize

          46KB

          MD5

          56d85e623a701f4142a111275fbbc4f5

          SHA1

          51a35029e972c33d4ca4b835f00ab3a5a0469b9b

          SHA256

          9f6e297dd86de88825487549c0f25f02c10138b57b1b955034995615c58a13d2

          SHA512

          a75b846f4e8c1880f925ab295e972cf2f5aeb14f48bb6b849432853d4d1d487535f3632388fb5033b61570f8eda59d7623d0cf02f99a7d8dbccedd2e4c79956e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SShWrokJru.js
          Filesize

          8KB

          MD5

          fe336640086b91731a9486f8d777bdab

          SHA1

          3f2e7924c2223490208b2f103029510261ecefef

          SHA256

          775e70946b221f699fd762167e033a487030bd1200e3062d74ddf4f8f288329b

          SHA512

          0a85088d5f4efba18de3b2df27dd1879be4573fe741ba054fdd070d9e4c720a1c96c1b26ffa53f2d363ab310df3b04ae6f77ee203cb23119f4c63ab8898e9f4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SShWrokJru.js
          Filesize

          8KB

          MD5

          fe336640086b91731a9486f8d777bdab

          SHA1

          3f2e7924c2223490208b2f103029510261ecefef

          SHA256

          775e70946b221f699fd762167e033a487030bd1200e3062d74ddf4f8f288329b

          SHA512

          0a85088d5f4efba18de3b2df27dd1879be4573fe741ba054fdd070d9e4c720a1c96c1b26ffa53f2d363ab310df3b04ae6f77ee203cb23119f4c63ab8898e9f4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SShWrokJru.js
          Filesize

          8KB

          MD5

          fe336640086b91731a9486f8d777bdab

          SHA1

          3f2e7924c2223490208b2f103029510261ecefef

          SHA256

          775e70946b221f699fd762167e033a487030bd1200e3062d74ddf4f8f288329b

          SHA512

          0a85088d5f4efba18de3b2df27dd1879be4573fe741ba054fdd070d9e4c720a1c96c1b26ffa53f2d363ab310df3b04ae6f77ee203cb23119f4c63ab8898e9f4f

          Download Submit