Analysis

  • max time kernel
    170s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2022 17:06

General

  • Target

    PO. AND FULL COMPANY DETAILS.js

  • Size

    52KB

  • MD5

    8bc16b0d732b50f86fedb1f18bb0a49a

  • SHA1

    3f0fc1ebce788f408926e5776e290374f380e072

  • SHA256

    22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed

  • SHA512

    9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e

  • SSDEEP

    1536:jFeQf26nBIldsK9GyP18QyEy4j1vnsrXK:jrzQ7L

Malware Config

Extracted

Family

wshrat

C2

http://91.193.75.135:2120

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 37 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 24 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO. AND FULL COMPANY DETAILS.js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1468
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js

    Filesize

    10KB

    MD5

    55e53bf999e8da52880af2e3eb145dd7

    SHA1

    eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7

    SHA256

    ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06

    SHA512

    9141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda

  • C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js

    Filesize

    10KB

    MD5

    55e53bf999e8da52880af2e3eb145dd7

    SHA1

    eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7

    SHA256

    ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06

    SHA512

    9141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js

    Filesize

    10KB

    MD5

    55e53bf999e8da52880af2e3eb145dd7

    SHA1

    eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7

    SHA256

    ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06

    SHA512

    9141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js

    Filesize

    52KB

    MD5

    8bc16b0d732b50f86fedb1f18bb0a49a

    SHA1

    3f0fc1ebce788f408926e5776e290374f380e072

    SHA256

    22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed

    SHA512

    9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e

  • C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js

    Filesize

    52KB

    MD5

    8bc16b0d732b50f86fedb1f18bb0a49a

    SHA1

    3f0fc1ebce788f408926e5776e290374f380e072

    SHA256

    22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed

    SHA512

    9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e