vjw0rm | 7ebd49f02df0409e5bdc81f93d4ab6af67c2c5690ef4766af6cda8f7e3d4e837

Analysis

max time kernel
136s
max time network
145s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB NO - 4806763435.js
Size

304KB
MD5

0cdef7f1449aca5a0c1439844d33a593
SHA1

9ef5f183e1253b349549ed704e35deba2b439bde
SHA256

7367743f876ffc7a318d768e51dd4b9323b8e7561b67827eca9ab0a2c1e670e4
SHA512

d9547601d7b6d4b771cbb74dbcd0d65db1dea7f6766a47b7567b31e8102172d268eee02108c47d526ac3b7f2a6a8015e757f86d355d17ff7fd9b642e95eaf3b1
SSDEEP

6144:pmnZ8AVCSuhEg9s44GY5Yi3CM2OMZ0PQ8xa6nlF20xuf:8hb/z5j3CMXVDKa+

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://goodies.dynamic-dns.net:9202

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 14 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
7	1260	wscript.exe
8	776	wscript.exe
10	1260	wscript.exe
15	1260	wscript.exe
18	776	wscript.exe
21	1260	wscript.exe
24	776	wscript.exe
25	1260	wscript.exe
28	1260	wscript.exe
29	1260	wscript.exe
30	1260	wscript.exe
32	1260	wscript.exe
34	776	wscript.exe
37	776	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB NO - 4806763435.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB NO - 4806763435.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njeyOecDmy.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njeyOecDmy.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWB NO - 4806763435 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB NO - 4806763435.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB NO - 4806763435 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB NO - 4806763435.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
5	ip-api.com

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	21	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	29	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	30	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1260 wrote to memory of 776	1260	wscript.exe	wscript.exe
PID 1260 wrote to memory of 776	1260	wscript.exe	wscript.exe
PID 1260 wrote to memory of 776	1260	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\AWB NO - 4806763435.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\njeyOecDmy.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\njeyOecDmy.js

Filesize
23KB

MD5
cb7b1e25dbd510808b9f4da5e42bcdfb

SHA1
774997619f8555040c73370956befa0499517d4e

SHA256
17507b4207dca3a61f28569f7d223da77df9584e003ba77844d75564a0bcfbe2

SHA512
dc703ce8d1660886afd65f4b1e65ccc7a6999d4f5fc2a7151a73d6d0f1cc9a35ece14e4bffc04353a2c311a0376516bd19b2eca7cbdb4c9f00a7e95d9c70cb6b

Download Submit
memory/776-55-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download