vjw0rm | 1091d4d6fdd409a307b9bf322c7464687200f891f1ec6f76feb5430c6bfc38f5

General

Target

Order EMFA Elektrik.PDF.js
Size

50KB
MD5

010e12de339f3e0229c8d981133d9590
SHA1

6b4801ade8d1e043cc7da2c41d9fe06a8b6bc546
SHA256

1091d4d6fdd409a307b9bf322c7464687200f891f1ec6f76feb5430c6bfc38f5
SHA512

34873addf8b9880bb78ce0598202b19a826b65dea757570bff5d0af3f9765bfdfce285f988ae392e984e8c9f7f8d1618f1805b50fd09fc5dc416b4b98d2f6c8c
SSDEEP

1536:0A5RU5DtHzqLH5l7shkTtDbJHye7cyfrva8sQOi:0uKPHWLH51sUt/JHyoxblss

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 29 IoCs

flow	pid	Process
6	676	wscript.exe
7	1388	wscript.exe
8	1388	wscript.exe
9	1388	wscript.exe
11	1388	wscript.exe
13	1388	wscript.exe
14	1388	wscript.exe
16	676	wscript.exe
19	1388	wscript.exe
20	1388	wscript.exe
21	1388	wscript.exe
24	1388	wscript.exe
25	676	wscript.exe
27	1388	wscript.exe
28	1388	wscript.exe
30	1388	wscript.exe
31	1388	wscript.exe
34	1388	wscript.exe
36	676	wscript.exe
38	1388	wscript.exe
39	1388	wscript.exe
40	1388	wscript.exe
42	1388	wscript.exe
44	1388	wscript.exe
45	676	wscript.exe
47	1388	wscript.exe
49	1388	wscript.exe
50	1388	wscript.exe
51	1388	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order EMFA Elektrik.PDF.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fZjBkAinek.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fZjBkAinek.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order EMFA Elektrik.PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Order EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order EMFA Elektrik.PDF.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Order EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order EMFA Elektrik.PDF.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	9	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	24	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	31	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	8	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	27	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	28	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	38	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	40	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	44	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	19	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	21	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	39	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	42	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	11	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	13	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	14	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	20	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	30	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	34	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	47	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	49	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	50	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript
HTTP User-Agent header	51	WSHRAT\|94A7BB46\|RYNKSFQE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/12/2022\|JavaScript

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 676	1388	wscript.exe	27
PID 1388 wrote to memory of 676	1388	wscript.exe	27
PID 1388 wrote to memory of 676	1388	wscript.exe	27

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order EMFA Elektrik.PDF.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fZjBkAinek.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fZjBkAinek.js

Filesize
10KB

MD5
00df64659f895bc9f1a6b53505f5e8a7

SHA1
15a0f8a859aa3d296dd37d86c439762076e28657

SHA256
22008eef4a9ff032c358c48c8102a3a7ac138c71527a66593be376a6bfff5e20

SHA512
56f0ab5aa4a2c28b24f1ba309340d294d9eee3e7912ed9fe70d2650d23b2d98f4aa617e5e1658bbd36430db6ca68002a612c19f40f863d179a70a276638a4b48

Download Submit
memory/1388-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing