Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2022 06:21

General

  • Target

    Scanned copies.js

  • Size

    52KB

  • MD5

    49b13da43564fd53f17eb0a803a92a09

  • SHA1

    ed74e4ea8cb53499dc36335814d82ac31cc6d0c7

  • SHA256

    ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804

  • SHA512

    a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31

  • SSDEEP

    768:1zPm7PWaktoJJVRurezocS9ZZtfOuuF1wivT7VYJw9Yc0Sa0Z8K:1DqJJ7urem9Z7fxE1wivT7V+c0SaQ8K

Malware Config

Extracted

Family

wshrat

C2

http://185.252.178.17:5050

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 21 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 7 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4632
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js

    Filesize

    10KB

    MD5

    0b3fb1c1e7a5cfdc66b4d3985815e6ff

    SHA1

    2bdade957c852dee5c052729e2a464bbd2454082

    SHA256

    b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e

    SHA512

    4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

  • C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js

    Filesize

    10KB

    MD5

    0b3fb1c1e7a5cfdc66b4d3985815e6ff

    SHA1

    2bdade957c852dee5c052729e2a464bbd2454082

    SHA256

    b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e

    SHA512

    4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js

    Filesize

    10KB

    MD5

    0b3fb1c1e7a5cfdc66b4d3985815e6ff

    SHA1

    2bdade957c852dee5c052729e2a464bbd2454082

    SHA256

    b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e

    SHA512

    4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js

    Filesize

    52KB

    MD5

    49b13da43564fd53f17eb0a803a92a09

    SHA1

    ed74e4ea8cb53499dc36335814d82ac31cc6d0c7

    SHA256

    ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804

    SHA512

    a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31

  • C:\Users\Admin\AppData\Roaming\Scanned copies.js

    Filesize

    52KB

    MD5

    49b13da43564fd53f17eb0a803a92a09

    SHA1

    ed74e4ea8cb53499dc36335814d82ac31cc6d0c7

    SHA256

    ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804

    SHA512

    a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31