vjw0rm | bfcdf288d8a45d170910b4cd04d811f2afe6d9bf9ff3eab8d250cde2eeb70a3a

General

Target

Proof of Payment.js
Size

429KB
MD5

019687721f2294d4bdc0e820b8e1c05d
SHA1

4aa96ea352ce89cebbf662cb83cdd5676fa86a21
SHA256

bfcdf288d8a45d170910b4cd04d811f2afe6d9bf9ff3eab8d250cde2eeb70a3a
SHA512

738c8295188477b8fbda8a6d19817b835aafc8dac8a9501fec53c4bcd0a758fefa8b369e6679d7b597ef4067b6c13a9c05bfb82a19ce614879da3e2260d49f83
SSDEEP

3072:tpZFqXDp3Xjehwn+9eKa5VGzcK7GbOlkFPPcG58MMDzMHKyC3kMFdMWnKzMhfinQ:tW9XjeSn+0kunSF0L0

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://185.246.220.208:5358

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 22 IoCs

flow	pid	Process
9	1020	wscript.exe
10	972	wscript.exe
11	608	wscript.exe
12	1020	wscript.exe
13	1020	wscript.exe
14	972	wscript.exe
18	1020	wscript.exe
20	972	wscript.exe
22	608	wscript.exe
24	1020	wscript.exe
28	972	wscript.exe
29	1020	wscript.exe
32	1020	wscript.exe
33	972	wscript.exe
35	608	wscript.exe
37	1020	wscript.exe
38	972	wscript.exe
41	1020	wscript.exe
45	608	wscript.exe
46	972	wscript.exe
48	1020	wscript.exe
50	1020	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proof of Payment.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proof of Payment.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zAXyTjDCiS.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zAXyTjDCiS.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zAXyTjDCiS.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proof of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof of Payment.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Proof of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof of Payment.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proof of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof of Payment.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Proof of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof of Payment.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	WSHRAT\|5C41F0CB\|ZERMMMDR\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/12/2022\|JavaScript
HTTP User-Agent header	22	WSHRAT\|5C41F0CB\|ZERMMMDR\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/12/2022\|JavaScript
HTTP User-Agent header	35	WSHRAT\|5C41F0CB\|ZERMMMDR\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/12/2022\|JavaScript
HTTP User-Agent header	45	WSHRAT\|5C41F0CB\|ZERMMMDR\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/12/2022\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 972	948	wscript.exe	28
PID 948 wrote to memory of 972	948	wscript.exe	28
PID 948 wrote to memory of 972	948	wscript.exe	28
PID 948 wrote to memory of 608	948	wscript.exe	29
PID 948 wrote to memory of 608	948	wscript.exe	29
PID 948 wrote to memory of 608	948	wscript.exe	29
PID 608 wrote to memory of 1020	608	wscript.exe	31
PID 608 wrote to memory of 1020	608	wscript.exe	31
PID 608 wrote to memory of 1020	608	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zAXyTjDCiS.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:972
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Proof of Payment.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zAXyTjDCiS.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proof of Payment.js

Filesize
429KB

MD5
019687721f2294d4bdc0e820b8e1c05d

SHA1
4aa96ea352ce89cebbf662cb83cdd5676fa86a21

SHA256
bfcdf288d8a45d170910b4cd04d811f2afe6d9bf9ff3eab8d250cde2eeb70a3a

SHA512
738c8295188477b8fbda8a6d19817b835aafc8dac8a9501fec53c4bcd0a758fefa8b369e6679d7b597ef4067b6c13a9c05bfb82a19ce614879da3e2260d49f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zAXyTjDCiS.js

Filesize
146KB

MD5
5c2f77f4a33bfda4e38dff84c96a5554

SHA1
d32a13b69d058ec4dd441b2ccbbe2edf465edbe8

SHA256
20cfd9afbfb553d02f2eaa5252a1208000103235d7d9def970c0e16053c9f599

SHA512
538dfe96b3b03fe9a82e6416335f60eb6ac46f0661971ae17610ed34bd5064764e82a80b3389d6d8d360f07a0af861674426d863fd06c5d172eae376b82e2bc5

Download Submit
C:\Users\Admin\AppData\Roaming\Proof of Payment.js

Filesize
429KB

MD5
019687721f2294d4bdc0e820b8e1c05d

SHA1
4aa96ea352ce89cebbf662cb83cdd5676fa86a21

SHA256
bfcdf288d8a45d170910b4cd04d811f2afe6d9bf9ff3eab8d250cde2eeb70a3a

SHA512
738c8295188477b8fbda8a6d19817b835aafc8dac8a9501fec53c4bcd0a758fefa8b369e6679d7b597ef4067b6c13a9c05bfb82a19ce614879da3e2260d49f83

Download Submit
C:\Users\Admin\AppData\Roaming\zAXyTjDCiS.js

Filesize
146KB

MD5
5c2f77f4a33bfda4e38dff84c96a5554

SHA1
d32a13b69d058ec4dd441b2ccbbe2edf465edbe8

SHA256
20cfd9afbfb553d02f2eaa5252a1208000103235d7d9def970c0e16053c9f599

SHA512
538dfe96b3b03fe9a82e6416335f60eb6ac46f0661971ae17610ed34bd5064764e82a80b3389d6d8d360f07a0af861674426d863fd06c5d172eae376b82e2bc5

Download Submit
C:\Users\Admin\AppData\Roaming\zAXyTjDCiS.js

Filesize
146KB

MD5
5c2f77f4a33bfda4e38dff84c96a5554

SHA1
d32a13b69d058ec4dd441b2ccbbe2edf465edbe8

SHA256
20cfd9afbfb553d02f2eaa5252a1208000103235d7d9def970c0e16053c9f599

SHA512
538dfe96b3b03fe9a82e6416335f60eb6ac46f0661971ae17610ed34bd5064764e82a80b3389d6d8d360f07a0af861674426d863fd06c5d172eae376b82e2bc5

Download Submit
memory/948-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing