Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2022, 09:06

General

  • Target

    PO.js

  • Size

    5KB

  • MD5

    2847ee58cb7ef2bc9d410ad73a15961f

  • SHA1

    701a342c49ec6d2c802847157e6a68154168bbf8

  • SHA256

    6b12cfb0d109c8944d64556320bb63e2b0a287b8583c16cc4eb3b32f86fe31c8

  • SHA512

    3245868c4700d28843fc98e6e15eefc269da745b334bc3678f1710d1a7520305bfd5dc2c2cc87ebdd6e114f850eebcb69b55d3f2297d560b5d55621203ee78e6

  • SSDEEP

    96:u9GyFqVgE4DBLSjsg2B7pikxVHFQba/40zpzw4wu+huzLsFZZRKC8CEsrYcshAiR:VuEgBOwZFiO+a/40zNw4wFSLYZRHEsrs

Malware Config

Extracted

Family

vjw0rm

C2

http://212.193.30.230:6505

Extracted

Family

wshrat

C2

http://212.193.30.230:7780

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Script User-Agent 8 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MM456F833Q.js"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MM456F833Q.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:4428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MM456F833Q.js

    Filesize

    24KB

    MD5

    963ca126766bbcd9e8384b9ef2c74673

    SHA1

    59ac9982bde3dcf4d4a89e99b8ab08fedce02ba5

    SHA256

    7549db05702b59ca48c9faaab687273bbe8abad0c8d27540ca89f63ed3c9ed5a

    SHA512

    0df472aa3d72ab2cb7269eb55c3b4a05a3b654a280ccec9f5bd10f6dca07d98ea9c3cb0be101fa5ad973fa718e16c0605ac4a4d8e94952b18140f4c9394d2480

  • C:\Users\Admin\AppData\Roaming\MM456F833Q.js

    Filesize

    24KB

    MD5

    963ca126766bbcd9e8384b9ef2c74673

    SHA1

    59ac9982bde3dcf4d4a89e99b8ab08fedce02ba5

    SHA256

    7549db05702b59ca48c9faaab687273bbe8abad0c8d27540ca89f63ed3c9ed5a

    SHA512

    0df472aa3d72ab2cb7269eb55c3b4a05a3b654a280ccec9f5bd10f6dca07d98ea9c3cb0be101fa5ad973fa718e16c0605ac4a4d8e94952b18140f4c9394d2480

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MM456F833Q.js

    Filesize

    24KB

    MD5

    963ca126766bbcd9e8384b9ef2c74673

    SHA1

    59ac9982bde3dcf4d4a89e99b8ab08fedce02ba5

    SHA256

    7549db05702b59ca48c9faaab687273bbe8abad0c8d27540ca89f63ed3c9ed5a

    SHA512

    0df472aa3d72ab2cb7269eb55c3b4a05a3b654a280ccec9f5bd10f6dca07d98ea9c3cb0be101fa5ad973fa718e16c0605ac4a4d8e94952b18140f4c9394d2480