Malware Analysis Report

2025-01-18 12:22

Sample ID 221111-xbmnbshh42
Target PO N°CF004303.js
SHA256 c1c242402b2a89f84fe0062b56c3dab6505fffdd23efde258dcce8a3ede90c61
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1c242402b2a89f84fe0062b56c3dab6505fffdd23efde258dcce8a3ede90c61

Threat Level: Known bad

The file PO N°CF004303.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

WSHRAT

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-11 18:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-11 18:40

Reported

2022-11-11 18:43

Platform

win7-20220812-en

Max time kernel

148s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NptIEOIAPW.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NptIEOIAPW.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1948 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1948 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NptIEOIAPW.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp

Files

memory/1948-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

memory/1120-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NptIEOIAPW.js

MD5 c6361105b5a6ea4b23f5f8d172f6c3c5
SHA1 22dd4a5b4d6dc19b0df8737540b0f1230dbb5485
SHA256 21ccb78d2daa2a334104ec4d591ab8c4866225781d8ca92373befb21b1f6cce7
SHA512 789c4773b269cedeaaff4ca319ca4ce262fafe8f135f7d685c1cd7c90db95c60908a01dd194917d7004365f7aa3e8c11197e338288fee58b9152b9754f6ffb99

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-11 18:40

Reported

2022-11-11 18:43

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NptIEOIAPW.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NptIEOIAPW.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 1052 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1280 wrote to memory of 1052 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NptIEOIAPW.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 178.79.208.1:80 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 84.38.130.210:2070 84.38.130.210 tcp

Files

memory/1052-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NptIEOIAPW.js

MD5 c6361105b5a6ea4b23f5f8d172f6c3c5
SHA1 22dd4a5b4d6dc19b0df8737540b0f1230dbb5485
SHA256 21ccb78d2daa2a334104ec4d591ab8c4866225781d8ca92373befb21b1f6cce7
SHA512 789c4773b269cedeaaff4ca319ca4ce262fafe8f135f7d685c1cd7c90db95c60908a01dd194917d7004365f7aa3e8c11197e338288fee58b9152b9754f6ffb99