vjw0rm | 660ade8ec5e8a4d96829bf974782baa25b76fe5626ae29a319ebb448b58a4a67

General

Target

doc00000024720000.js
Size

196KB
MD5

0a568e550259227e12d5fad3e44278d9
SHA1

ea93668fdfada948e617a98f2a9c1e60cca34cea
SHA256

660ade8ec5e8a4d96829bf974782baa25b76fe5626ae29a319ebb448b58a4a67
SHA512

e3aa2c5dfe9aa56dfc122c4d6c523665edae5555a66ea1f966efb95022811e961c0881c30c02e9d0f4115a19908c2961e188b4a1df7efff88141842b99b6f609
SSDEEP

3072:FIGmE69uz3ugounzuwdnnir6KjdbNelhkaJ:FIGmIto2zjdng6Kjj2J

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 31 IoCs

flow	pid	Process
7	1500	wscript.exe
8	1376	wscript.exe
9	1376	wscript.exe
10	1376	wscript.exe
12	1376	wscript.exe
14	1376	wscript.exe
15	1376	wscript.exe
19	1500	wscript.exe
20	1376	wscript.exe
21	1376	wscript.exe
22	1376	wscript.exe
24	1376	wscript.exe
26	1376	wscript.exe
27	1500	wscript.exe
29	1376	wscript.exe
31	1376	wscript.exe
32	1376	wscript.exe
33	1376	wscript.exe
35	1376	wscript.exe
37	1376	wscript.exe
38	1500	wscript.exe
40	1376	wscript.exe
42	1376	wscript.exe
43	1376	wscript.exe
44	1376	wscript.exe
47	1376	wscript.exe
48	1376	wscript.exe
49	1500	wscript.exe
51	1376	wscript.exe
53	1376	wscript.exe
54	1376	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doc00000024720000.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doc00000024720000.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKYImiPkzF.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKYImiPkzF.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\doc00000024720000 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\doc00000024720000.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doc00000024720000 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\doc00000024720000.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	29	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	44	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	54	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	14	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	40	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	47	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	48	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	53	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	32	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	10	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	15	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	20	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	21	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	24	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	26	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	31	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	37	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	42	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	51	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	8	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	9	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	12	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	33	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	35	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript
HTTP User-Agent header	43	WSHRAT\|D44DAEDB\|ORXGKKZC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/12/2022\|JavaScript

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1500	1376	wscript.exe	27
PID 1376 wrote to memory of 1500	1376	wscript.exe	27
PID 1376 wrote to memory of 1500	1376	wscript.exe	27

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\doc00000024720000.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FKYImiPkzF.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FKYImiPkzF.js

Filesize
62KB

MD5
384c972ff08ee2dabfff0c59daeff036

SHA1
236f8d9b6a7f5aae53e5796d0525fdf21d773f64

SHA256
ac8f80f836827fce59e2d5d20490a5b02b8e46263a5371b7f55f4f1fa741067c

SHA512
dbbd68742cf7e8db9265195dbdacdf694ccd4a946241cb2be9b9510810206b71f7b4be50903b6f9b7854f5fa3a87a73e5aeb39fb1dbf12b8ce8cbaab01205c3b

Download Submit
memory/1376-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing