Malware Analysis Report

2025-01-18 12:21

Sample ID 221107-hmhfesche5
Target payment receipt.js
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501

Threat Level: Known bad

The file payment receipt.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

WSHRAT

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-07 06:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-07 06:51

Reported

2022-11-07 06:54

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

160s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 1968 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4732 wrote to memory of 1968 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4732 wrote to memory of 3992 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4732 wrote to memory of 3992 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3992 wrote to memory of 4956 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 3992 wrote to memory of 4956 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

Network

Country Destination Domain Proto
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 takeall.duckdns.org udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 8.253.209.121:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
US 8.252.118.126:80 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 93.184.220.29:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.252.118.126:80 tcp
US 67.26.211.254:80 tcp
US 93.184.220.29:80 tcp
US 8.253.209.121:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 8.253.209.121:80 tcp
US 8.252.117.126:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
US 67.26.211.254:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
US 8.252.117.126:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp

Files

memory/1968-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

memory/3992-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

memory/4956-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-07 06:51

Reported

2022-11-07 06:53

Platform

win7-20220812-en

Max time kernel

151s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 takeall.duckdns.org udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp

Files

memory/1388-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

memory/764-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

memory/964-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

memory/1732-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93