Malware Analysis Report

2025-01-18 12:20

Sample ID 221123-q2dpsaae2v
Target MUIUoftbDe_movar.js
SHA256 cf7adbaa26298ae18a94b2114ea189054cfbd65cf0822a35cccb72261e3c64a7
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf7adbaa26298ae18a94b2114ea189054cfbd65cf0822a35cccb72261e3c64a7

Threat Level: Known bad

The file MUIUoftbDe_movar.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 13:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 13:45

Reported

2022-11-23 13:47

Platform

win7-20220812-en

Max time kernel

151s

Max time network

167s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\MUIUoftbDe_movar.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oDmkpHXKkT.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oDmkpHXKkT.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oDmkpHXKkT.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MUIUoftbDe_movar.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MUIUoftbDe_movar.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MUIUoftbDe_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\MUIUoftbDe_movar.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MUIUoftbDe_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\MUIUoftbDe_movar.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MUIUoftbDe_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\MUIUoftbDe_movar.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MUIUoftbDe_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\MUIUoftbDe_movar.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\MUIUoftbDe_movar.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oDmkpHXKkT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MUIUoftbDe_movar.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oDmkpHXKkT.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp

Files

memory/1624-54-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

memory/960-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\oDmkpHXKkT.js

MD5 2df5ca7cad66ae2bd13b8e4d333c3f00
SHA1 9ed68a832bd2bd20dfd7cbf2c2acc0e7948ea4c8
SHA256 8fb34cb8fbf3cb616b8b878d8bb91f5a0f674ba012e4a27dbb55d63c47225e7e
SHA512 db132b9fc3777cca7225872ef9db53df67fbca2da3bc756b33b5d51e5c89f52b96e8e9fb9772ca74935bb7045cebff6da67c60037d0065e8bc4b99bce14ff8fb

memory/2016-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\MUIUoftbDe_movar.js

MD5 d253f7ee481d6769dcad17a0e35e6d09
SHA1 81b889c7d769620bd87839c98ca6a5af230d4170
SHA256 cf7adbaa26298ae18a94b2114ea189054cfbd65cf0822a35cccb72261e3c64a7
SHA512 9e6b91b3ae23b3e67bd942d720527a3264c2f9646a55fb459bd9998af5c17b9801a4c6ada982a792bc86e5b25d8df0dbc54654985d59fc12315cee18dd090d1f

memory/852-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MUIUoftbDe_movar.js

MD5 d253f7ee481d6769dcad17a0e35e6d09
SHA1 81b889c7d769620bd87839c98ca6a5af230d4170
SHA256 cf7adbaa26298ae18a94b2114ea189054cfbd65cf0822a35cccb72261e3c64a7
SHA512 9e6b91b3ae23b3e67bd942d720527a3264c2f9646a55fb459bd9998af5c17b9801a4c6ada982a792bc86e5b25d8df0dbc54654985d59fc12315cee18dd090d1f

C:\Users\Admin\AppData\Roaming\oDmkpHXKkT.js

MD5 2df5ca7cad66ae2bd13b8e4d333c3f00
SHA1 9ed68a832bd2bd20dfd7cbf2c2acc0e7948ea4c8
SHA256 8fb34cb8fbf3cb616b8b878d8bb91f5a0f674ba012e4a27dbb55d63c47225e7e
SHA512 db132b9fc3777cca7225872ef9db53df67fbca2da3bc756b33b5d51e5c89f52b96e8e9fb9772ca74935bb7045cebff6da67c60037d0065e8bc4b99bce14ff8fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oDmkpHXKkT.js

MD5 2df5ca7cad66ae2bd13b8e4d333c3f00
SHA1 9ed68a832bd2bd20dfd7cbf2c2acc0e7948ea4c8
SHA256 8fb34cb8fbf3cb616b8b878d8bb91f5a0f674ba012e4a27dbb55d63c47225e7e
SHA512 db132b9fc3777cca7225872ef9db53df67fbca2da3bc756b33b5d51e5c89f52b96e8e9fb9772ca74935bb7045cebff6da67c60037d0065e8bc4b99bce14ff8fb

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 13:45

Reported

2022-11-23 13:46

Platform

win10v2004-20221111-en

Max time network

13s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 67.24.25.254:80 tcp
N/A 67.24.25.254:80 tcp
N/A 67.24.25.254:80 tcp
N/A 104.80.225.205:443 tcp

Files

N/A