vjw0rm | b29f7ef3d2fc192562ade4242016a762ad7863c8936b30d6e91565d820734ba9

Analysis

max time kernel
152s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Spec.PDF.js
Size

40KB
MD5

866bc1d7e3b0b0f5d50f822d901cc6db
SHA1

981e383028b2672260a69f4b4210d76ad0946533
SHA256

b29f7ef3d2fc192562ade4242016a762ad7863c8936b30d6e91565d820734ba9
SHA512

00dea71438fbb27c492f3201d64ae342864cae5e3672ad9504363577570b930e6e744c6785be2d675f9439d0de821c87dfca2fc41e84cffcde1dd7bbf9d35a8b
SSDEEP

768:NKm0ftIQVmYOn+QSkQqRp2iDg0vGcxZfznJNanLPE0BcOlh:cVftIQmSkR2iDYefXWM0BcOD

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://45.139.105.174:1604

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 17 IoCs

flow	pid	Process
16	3392	wscript.exe
18	4844	wscript.exe
32	3392	wscript.exe
33	4844	wscript.exe
36	3392	wscript.exe
37	3392	wscript.exe
41	4844	wscript.exe
45	3392	wscript.exe
46	3392	wscript.exe
47	3392	wscript.exe
48	3392	wscript.exe
51	4844	wscript.exe
53	4844	wscript.exe
54	3392	wscript.exe
61	3392	wscript.exe
62	4844	wscript.exe
63	3392	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Spec.PDF.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHRCMgDdNJ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHRCMgDdNJ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Spec.PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Order Spec = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order Spec.PDF.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Order Spec = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order Spec.PDF.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	45	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/11/2022\|JavaScript
HTTP User-Agent header	46	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/11/2022\|JavaScript
HTTP User-Agent header	47	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/11/2022\|JavaScript
HTTP User-Agent header	61	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/11/2022\|JavaScript
HTTP User-Agent header	32	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/11/2022\|JavaScript
HTTP User-Agent header	36	WSHRAT\|94D95F5C\|GBQHURCC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/11/2022\|JavaScript

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4844	3392	wscript.exe	81
PID 3392 wrote to memory of 4844	3392	wscript.exe	81

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order Spec.PDF.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DHRCMgDdNJ.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DHRCMgDdNJ.js

Filesize
6KB

MD5
632a1c96cfffa418b08375cfe6d6c9aa

SHA1
8c43d121c6e4b7859c20ecad06feb1a1b32d1f0e

SHA256
a68ed70a13255af4d8ba9bc0b5024e13a4e5e07153b4d1169965f774f4328d8d

SHA512
8bd0e9821ea72602544c0af137e61d792d7a5c73196b9f39fb9331ce676535ab9225def366f83923db99ca46e5d217aa38e51934f440f2fee565f9e45e504a43

Download Submit