Malware Analysis Report

2025-01-18 12:23

Sample ID 221125-hsqc8ahf65
Target RFQ.js
SHA256 08d5d900b3a8e184322de8b75cdedbe01110f31e54f3569a4384578a3f4d17f1
Tags
vjw0rm wshrat trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08d5d900b3a8e184322de8b75cdedbe01110f31e54f3569a4384578a3f4d17f1

Threat Level: Known bad

The file RFQ.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-25 07:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-25 07:00

Reported

2022-11-25 07:03

Platform

win7-20220901-en

Max time kernel

150s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\RFQ.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 harold.2waky.com udp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp

Files

memory/1516-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

memory/768-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js

MD5 36d415caba60b2d25ec025ddfb2946ff
SHA1 0f2d8827e5d953820f382b9268beaa4f1243f1f6
SHA256 a1fed232c279cf33ba1057be78a2d3ec55cb761260ee67ac3e9fbeb445ef56c0
SHA512 f0810bfeb23410093c5dc311c8c3fef12d87cbc13ae44b3ba9dd8e8e82a42b5ab877996b7587a3821c5a42d1b91ccea4436f2bdf242e008d620dee2b5ad1e5ac

memory/1060-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\RFQ.js

MD5 65847356bd0afee1a1225141a38a3424
SHA1 4f5bb8e2d6793142f6869b6de3cf8268abc8d1e8
SHA256 08d5d900b3a8e184322de8b75cdedbe01110f31e54f3569a4384578a3f4d17f1
SHA512 849905d69dbbb8c7ce36a6bb2bd46ff773286c21b07db95b5b84e133494e87392f69fb14f96e00128c1e62bd3cea5d2e2260a4ff21d54143fe04393475ae72ce

memory/2024-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js

MD5 36d415caba60b2d25ec025ddfb2946ff
SHA1 0f2d8827e5d953820f382b9268beaa4f1243f1f6
SHA256 a1fed232c279cf33ba1057be78a2d3ec55cb761260ee67ac3e9fbeb445ef56c0
SHA512 f0810bfeb23410093c5dc311c8c3fef12d87cbc13ae44b3ba9dd8e8e82a42b5ab877996b7587a3821c5a42d1b91ccea4436f2bdf242e008d620dee2b5ad1e5ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ.js

MD5 65847356bd0afee1a1225141a38a3424
SHA1 4f5bb8e2d6793142f6869b6de3cf8268abc8d1e8
SHA256 08d5d900b3a8e184322de8b75cdedbe01110f31e54f3569a4384578a3f4d17f1
SHA512 849905d69dbbb8c7ce36a6bb2bd46ff773286c21b07db95b5b84e133494e87392f69fb14f96e00128c1e62bd3cea5d2e2260a4ff21d54143fe04393475ae72ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js

MD5 36d415caba60b2d25ec025ddfb2946ff
SHA1 0f2d8827e5d953820f382b9268beaa4f1243f1f6
SHA256 a1fed232c279cf33ba1057be78a2d3ec55cb761260ee67ac3e9fbeb445ef56c0
SHA512 f0810bfeb23410093c5dc311c8c3fef12d87cbc13ae44b3ba9dd8e8e82a42b5ab877996b7587a3821c5a42d1b91ccea4436f2bdf242e008d620dee2b5ad1e5ac

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-25 07:00

Reported

2022-11-25 07:03

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

167s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ.js C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 8 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4060 wrote to memory of 8 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4060 wrote to memory of 116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4060 wrote to memory of 116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 116 wrote to memory of 4372 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 116 wrote to memory of 4372 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\RFQ.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 93.184.221.240:80 tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 harold.2waky.com udp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 93.184.221.240:80 tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 185.246.221.12:3609 harold.2waky.com tcp
N/A 20.189.173.2:443 tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp
N/A 154.120.77.219:5465 javaautorun.duia.ro tcp

Files

memory/8-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js

MD5 36d415caba60b2d25ec025ddfb2946ff
SHA1 0f2d8827e5d953820f382b9268beaa4f1243f1f6
SHA256 a1fed232c279cf33ba1057be78a2d3ec55cb761260ee67ac3e9fbeb445ef56c0
SHA512 f0810bfeb23410093c5dc311c8c3fef12d87cbc13ae44b3ba9dd8e8e82a42b5ab877996b7587a3821c5a42d1b91ccea4436f2bdf242e008d620dee2b5ad1e5ac

memory/116-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\RFQ.js

MD5 65847356bd0afee1a1225141a38a3424
SHA1 4f5bb8e2d6793142f6869b6de3cf8268abc8d1e8
SHA256 08d5d900b3a8e184322de8b75cdedbe01110f31e54f3569a4384578a3f4d17f1
SHA512 849905d69dbbb8c7ce36a6bb2bd46ff773286c21b07db95b5b84e133494e87392f69fb14f96e00128c1e62bd3cea5d2e2260a4ff21d54143fe04393475ae72ce

memory/4372-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YrOEWnslxF.js

MD5 36d415caba60b2d25ec025ddfb2946ff
SHA1 0f2d8827e5d953820f382b9268beaa4f1243f1f6
SHA256 a1fed232c279cf33ba1057be78a2d3ec55cb761260ee67ac3e9fbeb445ef56c0
SHA512 f0810bfeb23410093c5dc311c8c3fef12d87cbc13ae44b3ba9dd8e8e82a42b5ab877996b7587a3821c5a42d1b91ccea4436f2bdf242e008d620dee2b5ad1e5ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ.js

MD5 06b99261af03e77d56ee37fc6bce8611
SHA1 e9a34dc471bb0d0f46f74c52fd293658445722fc
SHA256 dec5142fd0356495b7ba488f6dc24b0d970643be2c4dbbb6ff3ae098963a5747
SHA512 88dd022caabc82142bdf7b7d8cedb58c39f6fb72f114db9645ddd58761d87bb3b23c999f7eade35f07a17b1aed319a9c4375c1017f8d9d3c65db01f031901101

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YrOEWnslxF.js

MD5 36d415caba60b2d25ec025ddfb2946ff
SHA1 0f2d8827e5d953820f382b9268beaa4f1243f1f6
SHA256 a1fed232c279cf33ba1057be78a2d3ec55cb761260ee67ac3e9fbeb445ef56c0
SHA512 f0810bfeb23410093c5dc311c8c3fef12d87cbc13ae44b3ba9dd8e8e82a42b5ab877996b7587a3821c5a42d1b91ccea4436f2bdf242e008d620dee2b5ad1e5ac