vjw0rm | 7ebd49f02df0409e5bdc81f93d4ab6af67c2c5690ef4766af6cda8f7e3d4e837

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB NO - 4806763435.js
Size

304KB
MD5

0cdef7f1449aca5a0c1439844d33a593
SHA1

9ef5f183e1253b349549ed704e35deba2b439bde
SHA256

7367743f876ffc7a318d768e51dd4b9323b8e7561b67827eca9ab0a2c1e670e4
SHA512

d9547601d7b6d4b771cbb74dbcd0d65db1dea7f6766a47b7567b31e8102172d268eee02108c47d526ac3b7f2a6a8015e757f86d355d17ff7fd9b642e95eaf3b1
SSDEEP

6144:pmnZ8AVCSuhEg9s44GY5Yi3CM2OMZ0PQ8xa6nlF20xuf:8hb/z5j3CMXVDKa+

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://goodies.dynamic-dns.net:9202

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 17 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
7	5096	wscript.exe
9	5112	wscript.exe
11	5096	wscript.exe
32	5096	wscript.exe
33	5112	wscript.exe
58	5096	wscript.exe
62	5112	wscript.exe
71	5096	wscript.exe
74	5112	wscript.exe
90	5096	wscript.exe
96	5112	wscript.exe
104	5096	wscript.exe
109	5096	wscript.exe
110	5096	wscript.exe
112	5096	wscript.exe
113	5112	wscript.exe
115	5096	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njeyOecDmy.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njeyOecDmy.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB NO - 4806763435.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB NO - 4806763435.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB NO - 4806763435 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB NO - 4806763435.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB NO - 4806763435 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB NO - 4806763435.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	ip-api.com

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	104	WSHRAT\|CAC17A11\|SOCAAGDT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	109	WSHRAT\|CAC17A11\|SOCAAGDT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	110	WSHRAT\|CAC17A11\|SOCAAGDT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	112	WSHRAT\|CAC17A11\|SOCAAGDT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 23/11/2022\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 5096 wrote to memory of 5112	5096	wscript.exe	wscript.exe
PID 5096 wrote to memory of 5112	5096	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\AWB NO - 4806763435.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\njeyOecDmy.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\njeyOecDmy.js

Filesize
23KB

MD5
cb7b1e25dbd510808b9f4da5e42bcdfb

SHA1
774997619f8555040c73370956befa0499517d4e

SHA256
17507b4207dca3a61f28569f7d223da77df9584e003ba77844d75564a0bcfbe2

SHA512
dc703ce8d1660886afd65f4b1e65ccc7a6999d4f5fc2a7151a73d6d0f1cc9a35ece14e4bffc04353a2c311a0376516bd19b2eca7cbdb4c9f00a7e95d9c70cb6b

Download Submit
memory/5112-132-0x0000000000000000-mapping.dmp

Download