Malware Analysis Report

2025-01-18 12:22

Sample ID 221109-r35qbsbcek
Target 879-5160.js
SHA256 74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68

Threat Level: Known bad

The file 879-5160.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 14:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 14:44

Reported

2022-11-09 14:47

Platform

win7-20220812-en

Max time kernel

151s

Max time network

163s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\food.jar C:\Program Files\Java\jre7\bin\javaw.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\food.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\food.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 egodds.longmusic.com udp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.112.4:443 github.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp

Files

memory/980-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

memory/1724-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js

MD5 4ae28435a346bd27612683e2dd95d23a
SHA1 cf1e5c6550216f15e175576d9229a6ed2bed965f
SHA256 c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa
SHA512 9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f

memory/592-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/592-66-0x00000000020F0000-0x00000000050F0000-memory.dmp

memory/592-71-0x00000000020F0000-0x00000000050F0000-memory.dmp

memory/1964-72-0x0000000000000000-mapping.dmp

C:\Program Files\Java\jre7\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/1964-81-0x0000000002150000-0x0000000005150000-memory.dmp

memory/1964-85-0x0000000002150000-0x0000000005150000-memory.dmp

memory/2008-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/2008-99-0x0000000002130000-0x0000000005130000-memory.dmp

C:\Users\Admin\lib\system-hook-3.5.jar

MD5 e1aa38a1e78a76a6de73efae136cdb3a
SHA1 c463da71871f780b2e2e5dba115d43953b537daf
SHA256 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512 fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

C:\Users\Admin\lib\jna-platform-5.5.0.jar

MD5 2f4a99c2758e72ee2b59a73586a2322f
SHA1 af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA256 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512 b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

C:\Users\Admin\lib\jna-5.5.0.jar

MD5 acfb5b5fd9ee10bf69497792fd469f85
SHA1 0e0845217c4907822403912ad6828d8e0b256208
SHA256 b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512 e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\83aa4cc77f591dfc2374580bbd95f6ba_7725c12a-7257-458e-a47f-7029d9191548

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/2008-104-0x0000000002130000-0x0000000005130000-memory.dmp

\Users\Admin\AppData\Local\Temp\jna-63116079\jna500106253911765396.dll

MD5 e02979ecd43bcc9061eb2b494ab5af50
SHA1 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256 a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA512 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 14:44

Reported

2022-11-09 14:47

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4864 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4864 wrote to memory of 4768 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4864 wrote to memory of 4768 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 104.80.228.106:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.253.225.254:80 tcp
US 8.253.225.254:80 tcp
NL 104.80.228.106:443 tcp
US 8.8.8.8:53 egodds.longmusic.com udp
US 209.197.3.8:80 tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.112.3:443 github.com tcp
US 20.42.72.131:443 tcp

Files

memory/1120-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js

MD5 4ae28435a346bd27612683e2dd95d23a
SHA1 cf1e5c6550216f15e175576d9229a6ed2bed965f
SHA256 c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa
SHA512 9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f

memory/4768-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/4768-140-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-141-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-155-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-156-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-157-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-161-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-162-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-163-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-164-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-165-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-166-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-167-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-168-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-169-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-170-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-171-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-172-0x00000000030E0000-0x00000000040E0000-memory.dmp

memory/4768-173-0x00000000030E0000-0x00000000040E0000-memory.dmp