vjw0rm | ab889a992abc0afcb59459911ca153a5660a63b891fc6a8c494ddea688f434a2

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment-Swift 30-09-2022.js
Size

46KB
MD5

9992b1e4af3fdd6c7cc6acbc687a3e90
SHA1

dd6f7e3293ede9d1a826fe56b23d1bf37799fae1
SHA256

0ec1a20ddac1dfae8aa8d748e9ca674014ef6f3a12eb643c1260071b727c0ee6
SHA512

2d0f2fbce674cb26a17c417e5dc8d3de09dbd95f2f29e842a2478bbaaa1d234ae484d11a77aade8ceaa34cc2365e2e4f2c7a52476895fc179edbe24fcb03db98
SSDEEP

768:5BlM2pDXX8oe77Z6aFoS83vwBaNKTuNbni278K+3ghe0SaYzgBSSLtTG:5Bljp4z774avyIQN8kbni278me0SaqSw

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://jbd231.duckdns.org:2022

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 38 IoCs

flow	pid	Process
10	972	wscript.exe
11	1412	wscript.exe
12	2024	wscript.exe
13	2024	wscript.exe
14	2024	wscript.exe
17	2024	wscript.exe
18	2024	wscript.exe
21	2024	wscript.exe
23	1412	wscript.exe
25	972	wscript.exe
26	2024	wscript.exe
29	2024	wscript.exe
31	2024	wscript.exe
36	2024	wscript.exe
38	2024	wscript.exe
41	2024	wscript.exe
43	1412	wscript.exe
45	972	wscript.exe
46	2024	wscript.exe
48	2024	wscript.exe
51	2024	wscript.exe
53	2024	wscript.exe
58	2024	wscript.exe
60	2024	wscript.exe
63	972	wscript.exe
65	1412	wscript.exe
67	2024	wscript.exe
68	2024	wscript.exe
70	2024	wscript.exe
73	2024	wscript.exe
76	2024	wscript.exe
78	2024	wscript.exe
81	1412	wscript.exe
83	972	wscript.exe
84	2024	wscript.exe
86	2024	wscript.exe
88	2024	wscript.exe
91	2024	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment-Swift 30-09-2022.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment-Swift 30-09-2022.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cNrOCJfIoI.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cNrOCJfIoI.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cNrOCJfIoI.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment-Swift 30-09-2022 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Payment-Swift 30-09-2022.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment-Swift 30-09-2022 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Payment-Swift 30-09-2022.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment-Swift 30-09-2022 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Payment-Swift 30-09-2022.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment-Swift 30-09-2022 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Payment-Swift 30-09-2022.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 28 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	21	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	48	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	41	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	70	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	36	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	53	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	88	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	91	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	17	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	38	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	58	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	67	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	12	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	31	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	78	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	84	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	76	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	86	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	60	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	68	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	26	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	29	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	73	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	13	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	14	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	46	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript
HTTP User-Agent header	51	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2022\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 972	2016	wscript.exe	26
PID 2016 wrote to memory of 972	2016	wscript.exe	26
PID 2016 wrote to memory of 972	2016	wscript.exe	26
PID 2016 wrote to memory of 2024	2016	wscript.exe	27
PID 2016 wrote to memory of 2024	2016	wscript.exe	27
PID 2016 wrote to memory of 2024	2016	wscript.exe	27
PID 2024 wrote to memory of 1412	2024	wscript.exe	29
PID 2024 wrote to memory of 1412	2024	wscript.exe	29
PID 2024 wrote to memory of 1412	2024	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment-Swift 30-09-2022.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cNrOCJfIoI.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:972
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Payment-Swift 30-09-2022.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cNrOCJfIoI.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment-Swift 30-09-2022.js

Filesize
46KB

MD5
9992b1e4af3fdd6c7cc6acbc687a3e90

SHA1
dd6f7e3293ede9d1a826fe56b23d1bf37799fae1

SHA256
0ec1a20ddac1dfae8aa8d748e9ca674014ef6f3a12eb643c1260071b727c0ee6

SHA512
2d0f2fbce674cb26a17c417e5dc8d3de09dbd95f2f29e842a2478bbaaa1d234ae484d11a77aade8ceaa34cc2365e2e4f2c7a52476895fc179edbe24fcb03db98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cNrOCJfIoI.js

Filesize
8KB

MD5
38f775ae3b77cc26ebf7825619155325

SHA1
515d87a870d9dfa245df48172d63cca22c1410ac

SHA256
6bd50830c98a6505fa3a016c2f1fe8653d62d2c5d9212c0636f9ffb67bce8f27

SHA512
c29417d47acceb725b0ebe4a7bcc13f31ac2483ba478cc7c5c051d59aec3a525d3f62adcff466aa88c6a7b0f87be97135df096689cbb2c9cd3f53b13ce8f5da8

Download Submit
C:\Users\Admin\AppData\Roaming\Payment-Swift 30-09-2022.js

Filesize
46KB

MD5
9992b1e4af3fdd6c7cc6acbc687a3e90

SHA1
dd6f7e3293ede9d1a826fe56b23d1bf37799fae1

SHA256
0ec1a20ddac1dfae8aa8d748e9ca674014ef6f3a12eb643c1260071b727c0ee6

SHA512
2d0f2fbce674cb26a17c417e5dc8d3de09dbd95f2f29e842a2478bbaaa1d234ae484d11a77aade8ceaa34cc2365e2e4f2c7a52476895fc179edbe24fcb03db98

Download Submit
C:\Users\Admin\AppData\Roaming\cNrOCJfIoI.js

Filesize
8KB

MD5
38f775ae3b77cc26ebf7825619155325

SHA1
515d87a870d9dfa245df48172d63cca22c1410ac

SHA256
6bd50830c98a6505fa3a016c2f1fe8653d62d2c5d9212c0636f9ffb67bce8f27

SHA512
c29417d47acceb725b0ebe4a7bcc13f31ac2483ba478cc7c5c051d59aec3a525d3f62adcff466aa88c6a7b0f87be97135df096689cbb2c9cd3f53b13ce8f5da8

Download Submit
C:\Users\Admin\AppData\Roaming\cNrOCJfIoI.js

Filesize
8KB

MD5
38f775ae3b77cc26ebf7825619155325

SHA1
515d87a870d9dfa245df48172d63cca22c1410ac

SHA256
6bd50830c98a6505fa3a016c2f1fe8653d62d2c5d9212c0636f9ffb67bce8f27

SHA512
c29417d47acceb725b0ebe4a7bcc13f31ac2483ba478cc7c5c051d59aec3a525d3f62adcff466aa88c6a7b0f87be97135df096689cbb2c9cd3f53b13ce8f5da8

Download Submit
memory/2016-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download