Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2022 12:56

General

  • Target

    PO N°CF004303.js

  • Size

    52KB

  • MD5

    587ad35d06bccec7b8ff387dc0e5797e

  • SHA1

    f8729b7d69e638887de8de9afd49f134b8c58025

  • SHA256

    63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b

  • SHA512

    9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

  • SSDEEP

    1536:Ol/31MQwrtOdTFUErwEXQZvrLmhg36pnGAZE+AK:OGErw+l

Malware Config

Extracted

Family

wshrat

C2

http://194.5.98.198:1604

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 37 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 24 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1936
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO N°CF004303.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js

    Filesize

    52KB

    MD5

    587ad35d06bccec7b8ff387dc0e5797e

    SHA1

    f8729b7d69e638887de8de9afd49f134b8c58025

    SHA256

    63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b

    SHA512

    9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js

    Filesize

    10KB

    MD5

    f9332f9e18de0d77598ea6b6ca069da2

    SHA1

    09f7ba47ca4f682f500b2aa262326d7f60ef1cfa

    SHA256

    c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99

    SHA512

    76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

  • C:\Users\Admin\AppData\Roaming\PO N°CF004303.js

    Filesize

    52KB

    MD5

    587ad35d06bccec7b8ff387dc0e5797e

    SHA1

    f8729b7d69e638887de8de9afd49f134b8c58025

    SHA256

    63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b

    SHA512

    9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

  • C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js

    Filesize

    10KB

    MD5

    f9332f9e18de0d77598ea6b6ca069da2

    SHA1

    09f7ba47ca4f682f500b2aa262326d7f60ef1cfa

    SHA256

    c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99

    SHA512

    76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

  • C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js

    Filesize

    10KB

    MD5

    f9332f9e18de0d77598ea6b6ca069da2

    SHA1

    09f7ba47ca4f682f500b2aa262326d7f60ef1cfa

    SHA256

    c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99

    SHA512

    76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac