vjw0rm | 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0

General

Target

UAB VISI ATSAKYMAI30000290161120220112162613..js
Size

45KB
MD5

2b4fd5e86969e9a8b56ce60175c15866
SHA1

0e6890d6be1462aa5576a00ddaac640214e70256
SHA256

0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
SHA512

7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db
SSDEEP

768:NZLlAbEuwYu+sN8Ra/4Rm9yLudr3i+ngm6rEZC0Sao4:C4uoNcawo9sUr3i+ngyC0Saj

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://snkcyp.duckdns.org:3369

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
19	3324	wscript.exe
20	2852	wscript.exe
22	3568	wscript.exe
25	3568	wscript.exe
36	2852	wscript.exe
37	3324	wscript.exe
38	3568	wscript.exe
49	3568	wscript.exe
50	3324	wscript.exe
51	2852	wscript.exe
56	3568	wscript.exe
59	3568	wscript.exe
60	3568	wscript.exe
67	2852	wscript.exe
68	3324	wscript.exe
69	3568	wscript.exe
70	3568	wscript.exe
85	3324	wscript.exe
86	2852	wscript.exe
87	3568	wscript.exe
97	3568	wscript.exe
102	3568	wscript.exe
110	3568	wscript.exe
111	3568	wscript.exe
112	3324	wscript.exe
113	2852	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	22	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	49	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	69	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	70	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	97	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	102	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	56	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	59	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	87	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	110	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript
HTTP User-Agent header	111	WSHRAT\|CEC20621\|FXOYPAIQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 24/11/2022\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 504 wrote to memory of 3324	504	wscript.exe	wscript.exe
PID 504 wrote to memory of 3324	504	wscript.exe	wscript.exe
PID 504 wrote to memory of 3568	504	wscript.exe	wscript.exe
PID 504 wrote to memory of 3568	504	wscript.exe	wscript.exe
PID 3568 wrote to memory of 2852	3568	wscript.exe	wscript.exe
PID 3568 wrote to memory of 2852	3568	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:3324

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js

Filesize
45KB

MD5
2b4fd5e86969e9a8b56ce60175c15866

SHA1
0e6890d6be1462aa5576a00ddaac640214e70256

SHA256
0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0

SHA512
7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js

Filesize
8KB

MD5
94dd9e1490caedd9dddf727c42c773f1

SHA1
8f65feb0c94185d5b514053851f2849956f2e5f7

SHA256
0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b

SHA512
741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

Download Submit
C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js

Filesize
45KB

MD5
2b4fd5e86969e9a8b56ce60175c15866

SHA1
0e6890d6be1462aa5576a00ddaac640214e70256

SHA256
0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0

SHA512
7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

Download Submit
C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js

Filesize
8KB

MD5
94dd9e1490caedd9dddf727c42c773f1

SHA1
8f65feb0c94185d5b514053851f2849956f2e5f7

SHA256
0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b

SHA512
741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

Download Submit
C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js

Filesize
8KB

MD5
94dd9e1490caedd9dddf727c42c773f1

SHA1
8f65feb0c94185d5b514053851f2849956f2e5f7

SHA256
0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b

SHA512
741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

Download Submit
memory/2852-137-0x0000000000000000-mapping.dmp

Download
memory/3324-132-0x0000000000000000-mapping.dmp

Download
memory/3568-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads