Overview

overview

10

Static

static

LPO-17-006AD.js

windows7-x64

10

LPO-17-006AD.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LPO-17-006AD.js

  • Size

    46KB

  • MD5

    39ebb40e7ee6c296d7b1a9bbb4bbbcd0

  • SHA1

    5f902618378e2b6b8de9248cc5b66fb97dc9c597

  • SHA256

    1f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824

  • SHA512

    87828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d

  • SSDEEP

    768:NZLtbhEL68CUNTwpDfBDSQgl99Yi2e69KfDake7sgQGjnS/6IJnXBn0iNtY:5+e8/CDfBDBaJg9XkSsSYBns

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:2070

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 21 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\LPO-17-006AD.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1152
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LPO-17-006AD.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:5060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\LPO-17-006AD.js
    Filesize

    46KB

    MD5

    39ebb40e7ee6c296d7b1a9bbb4bbbcd0

    SHA1

    5f902618378e2b6b8de9248cc5b66fb97dc9c597

    SHA256

    1f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824

    SHA512

    87828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPO-17-006AD.js
    Filesize

    46KB

    MD5

    39ebb40e7ee6c296d7b1a9bbb4bbbcd0

    SHA1

    5f902618378e2b6b8de9248cc5b66fb97dc9c597

    SHA256

    1f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824

    SHA512

    87828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGIeVawdbu.js
    Filesize

    8KB

    MD5

    ea0d77b36ac9cf8c6cdc5b6036926b2d

    SHA1

    0e57942ff644e2fd66aa94c1cf0f8007f0fd57a5

    SHA256

    43038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776

    SHA512

    9328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887

    Download Submit
  • C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js
    Filesize

    8KB

    MD5

    ea0d77b36ac9cf8c6cdc5b6036926b2d

    SHA1

    0e57942ff644e2fd66aa94c1cf0f8007f0fd57a5

    SHA256

    43038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776

    SHA512

    9328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887

    Download Submit
  • C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js
    Filesize

    8KB

    MD5

    ea0d77b36ac9cf8c6cdc5b6036926b2d

    SHA1

    0e57942ff644e2fd66aa94c1cf0f8007f0fd57a5

    SHA256

    43038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776

    SHA512

    9328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887

    Download Submit
  • memory/1152-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4848-134-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-137-0x0000000000000000-mapping.dmp
    Download