Malware Analysis Report

2025-01-18 12:20

Sample ID 221202-vx7jhsgg46
Target RZKpmwZyCc_movar.js
SHA256 c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5

Threat Level: Known bad

The file RZKpmwZyCc_movar.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-02 17:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-02 17:23

Reported

2022-12-02 17:26

Platform

win7-20221111-en

Max time kernel

150s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\RZKpmwZyCc_movar.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 2/12/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\RZKpmwZyCc_movar.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RZKpmwZyCc_movar.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp

Files

memory/1728-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

memory/592-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js

MD5 109194f9f824f9cbcbc8cbaf85502175
SHA1 faf63812152fc2c5b1858c1f6acc41ef81475dc5
SHA256 1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9
SHA512 63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

memory/468-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RZKpmwZyCc_movar.js

MD5 387b3482bc2829229722380c02a7a6f0
SHA1 81869d1b70775e564e583fb955ae8179b183122f
SHA256 c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5
SHA512 5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

memory/672-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js

MD5 387b3482bc2829229722380c02a7a6f0
SHA1 81869d1b70775e564e583fb955ae8179b183122f
SHA256 c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5
SHA512 5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js

MD5 109194f9f824f9cbcbc8cbaf85502175
SHA1 faf63812152fc2c5b1858c1f6acc41ef81475dc5
SHA256 1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9
SHA512 63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js

MD5 109194f9f824f9cbcbc8cbaf85502175
SHA1 faf63812152fc2c5b1858c1f6acc41ef81475dc5
SHA256 1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9
SHA512 63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-02 17:23

Reported

2022-12-02 17:26

Platform

win10v2004-20221111-en

Max time kernel

151s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\RZKpmwZyCc_movar.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RZKpmwZyCc_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RZKpmwZyCc_movar.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|36C15E1A|WIJBFSKT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36C15E1A|WIJBFSKT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 2/12/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36C15E1A|WIJBFSKT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 2/12/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 4820 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4272 wrote to memory of 4820 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4272 wrote to memory of 4440 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4272 wrote to memory of 4440 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4440 wrote to memory of 2844 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4440 wrote to memory of 2844 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\RZKpmwZyCc_movar.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RZKpmwZyCc_movar.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js"

Network

Country Destination Domain Proto
N/A 45.139.105.174:7670 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 41.217.26.155:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp

Files

memory/4820-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js

MD5 109194f9f824f9cbcbc8cbaf85502175
SHA1 faf63812152fc2c5b1858c1f6acc41ef81475dc5
SHA256 1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9
SHA512 63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

memory/4440-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RZKpmwZyCc_movar.js

MD5 387b3482bc2829229722380c02a7a6f0
SHA1 81869d1b70775e564e583fb955ae8179b183122f
SHA256 c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5
SHA512 5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

memory/2844-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js

MD5 387b3482bc2829229722380c02a7a6f0
SHA1 81869d1b70775e564e583fb955ae8179b183122f
SHA256 c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5
SHA512 5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js

MD5 109194f9f824f9cbcbc8cbaf85502175
SHA1 faf63812152fc2c5b1858c1f6acc41ef81475dc5
SHA256 1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9
SHA512 63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93