Malware Analysis Report

2025-01-18 12:21

Sample ID 221031-g4tz4sbban
Target Scanned copies.js
SHA256 ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804

Threat Level: Known bad

The file Scanned copies.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 06:21

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 06:21

Reported

2022-10-31 06:24

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

159s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 676 wrote to memory of 1304 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 676 wrote to memory of 1304 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 676 wrote to memory of 4280 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 676 wrote to memory of 4280 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4280 wrote to memory of 5016 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4280 wrote to memory of 5016 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"

Network

Country Destination Domain Proto
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
US 8.252.118.126:80 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
NL 185.252.178.17:5050 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp

Files

memory/1304-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js

MD5 0b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA1 2bdade957c852dee5c052729e2a464bbd2454082
SHA256 b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA512 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

memory/4280-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Scanned copies.js

MD5 49b13da43564fd53f17eb0a803a92a09
SHA1 ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256 ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512 a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31

memory/5016-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js

MD5 0b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA1 2bdade957c852dee5c052729e2a464bbd2454082
SHA256 b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA512 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js

MD5 49b13da43564fd53f17eb0a803a92a09
SHA1 ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256 ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512 a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js

MD5 0b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA1 2bdade957c852dee5c052729e2a464bbd2454082
SHA256 b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA512 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 06:21

Reported

2022-10-31 06:24

Platform

win7-20220812-en

Max time kernel

148s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NG 41.217.14.122:5465 javaautorun.duia.ro tcp
NL 185.252.178.17:5050 185.252.178.17 tcp
NL 185.252.178.17:5050 185.252.178.17 tcp

Files

memory/1988-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

memory/1664-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js

MD5 0b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA1 2bdade957c852dee5c052729e2a464bbd2454082
SHA256 b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA512 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

memory/1472-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Scanned copies.js

MD5 49b13da43564fd53f17eb0a803a92a09
SHA1 ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256 ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512 a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js

MD5 49b13da43564fd53f17eb0a803a92a09
SHA1 ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256 ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512 a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31

memory/1756-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js

MD5 0b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA1 2bdade957c852dee5c052729e2a464bbd2454082
SHA256 b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA512 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js

MD5 0b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA1 2bdade957c852dee5c052729e2a464bbd2454082
SHA256 b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA512 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea