vjw0rm | f1cbac28e8fab8c57c6ef688a473f607073ef2e23058faf2154cfc8ecfc889a2

General

Target

RFQ2022-284.js
Size

43KB
MD5

fa2a3aa3871df17e3178c6090cb3e759
SHA1

5437b35ae4419dea19dbc82ec4fc72abb805cb43
SHA256

f1cbac28e8fab8c57c6ef688a473f607073ef2e23058faf2154cfc8ecfc889a2
SHA512

a062025594251910f10feabf77ff0b45e4578932d9f978538c84e120a3416c4fe5b986e75b21bfeb37df1d1c97ffb87588bccfcb549358df54694856b76736a7
SSDEEP

768:NYNHavYQXufkGTg1Cp6oLmK0skxnYYToJC6XUFa1sQrEzRxshs:ewASGlmK0skxnci2sQYzRxv

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:2070

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 13 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
41	4748	wscript.exe
43	4156	wscript.exe
44	2984	wscript.exe
84	4748	wscript.exe
87	4156	wscript.exe
88	2984	wscript.exe
91	4748	wscript.exe
104	2984	wscript.exe
105	4156	wscript.exe
108	4748	wscript.exe
111	2984	wscript.exe
112	4156	wscript.exe
119	4748	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2022-284.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2022-284.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YWLXdTFuMy.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YWLXdTFuMy.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YWLXdTFuMy.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2022-284 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2022-284.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2022-284 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2022-284.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2022-284 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2022-284.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2022-284 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2022-284.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	119	WSHRAT\|CAC17A11\|SOCAAGDT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/12/2022\|JavaScript
HTTP User-Agent header	84	WSHRAT\|CAC17A11\|SOCAAGDT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/12/2022\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 4308 wrote to memory of 2984	4308	wscript.exe	wscript.exe
PID 4308 wrote to memory of 2984	4308	wscript.exe	wscript.exe
PID 4308 wrote to memory of 4748	4308	wscript.exe	wscript.exe
PID 4308 wrote to memory of 4748	4308	wscript.exe	wscript.exe
PID 4748 wrote to memory of 4156	4748	wscript.exe	wscript.exe
PID 4748 wrote to memory of 4156	4748	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2022-284.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YWLXdTFuMy.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2984

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ2022-284.js"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YWLXdTFuMy.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2022-284.js

Filesize
43KB

MD5
fa2a3aa3871df17e3178c6090cb3e759

SHA1
5437b35ae4419dea19dbc82ec4fc72abb805cb43

SHA256
f1cbac28e8fab8c57c6ef688a473f607073ef2e23058faf2154cfc8ecfc889a2

SHA512
a062025594251910f10feabf77ff0b45e4578932d9f978538c84e120a3416c4fe5b986e75b21bfeb37df1d1c97ffb87588bccfcb549358df54694856b76736a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YWLXdTFuMy.js

Filesize
7KB

MD5
1b63f63d081603eaaef901642e91e0a6

SHA1
15edec771ee9bf10abadb787a04ca47c695c7a49

SHA256
1cb479828c01c32cf90d10fff552dc29c54f0d1d0a30c307243dcb3efc13869c

SHA512
059b4bfef7c681600e9356fe488d73a2175c5bfd4a783b8dffdb0d2e437d36b98bda5a4e454e67f56c639f36013ac623cca9abdf1249100dd1a97f4b6779c96b

Download Submit
C:\Users\Admin\AppData\Roaming\RFQ2022-284.js

Filesize
43KB

MD5
fa2a3aa3871df17e3178c6090cb3e759

SHA1
5437b35ae4419dea19dbc82ec4fc72abb805cb43

SHA256
f1cbac28e8fab8c57c6ef688a473f607073ef2e23058faf2154cfc8ecfc889a2

SHA512
a062025594251910f10feabf77ff0b45e4578932d9f978538c84e120a3416c4fe5b986e75b21bfeb37df1d1c97ffb87588bccfcb549358df54694856b76736a7

Download Submit
C:\Users\Admin\AppData\Roaming\YWLXdTFuMy.js

Filesize
7KB

MD5
1b63f63d081603eaaef901642e91e0a6

SHA1
15edec771ee9bf10abadb787a04ca47c695c7a49

SHA256
1cb479828c01c32cf90d10fff552dc29c54f0d1d0a30c307243dcb3efc13869c

SHA512
059b4bfef7c681600e9356fe488d73a2175c5bfd4a783b8dffdb0d2e437d36b98bda5a4e454e67f56c639f36013ac623cca9abdf1249100dd1a97f4b6779c96b

Download Submit
C:\Users\Admin\AppData\Roaming\YWLXdTFuMy.js

Filesize
7KB

MD5
1b63f63d081603eaaef901642e91e0a6

SHA1
15edec771ee9bf10abadb787a04ca47c695c7a49

SHA256
1cb479828c01c32cf90d10fff552dc29c54f0d1d0a30c307243dcb3efc13869c

SHA512
059b4bfef7c681600e9356fe488d73a2175c5bfd4a783b8dffdb0d2e437d36b98bda5a4e454e67f56c639f36013ac623cca9abdf1249100dd1a97f4b6779c96b

Download Submit
memory/2984-132-0x0000000000000000-mapping.dmp

Download
memory/4156-136-0x0000000000000000-mapping.dmp

Download
memory/4748-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads