vjw0rm | 069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87

General

Target

Solicitation#E62-359.pdf.js
Size

984KB
MD5

4e2d729e9c8329faf413b544c6e3e142
SHA1

a2e1e676ef6be73c851acbaf46b00eb8635fb875
SHA256

069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87
SHA512

24f0eeec9c97dbd77601c46bf2cd4ae02ebfc23f291367d1308a369df8b5f48794a11ec5720853e8507a1fa576d4b9164231ca65a4c7fa12fc7219d3ed86917f
SSDEEP

6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8zeLoJFl7BU/J:eQ3B7qgpkLoU

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://bona.kasowiitz.com:50125

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 58 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
10	1304	wscript.exe
11	568	wscript.exe
12	336	wscript.exe
13	568	wscript.exe
16	336	wscript.exe
17	1304	wscript.exe
18	568	wscript.exe
21	568	wscript.exe
23	1304	wscript.exe
25	336	wscript.exe
29	568	wscript.exe
31	1304	wscript.exe
33	568	wscript.exe
34	336	wscript.exe
37	568	wscript.exe
39	1304	wscript.exe
41	336	wscript.exe
42	568	wscript.exe
44	568	wscript.exe
46	1304	wscript.exe
48	336	wscript.exe
51	568	wscript.exe
53	1304	wscript.exe
54	336	wscript.exe
56	568	wscript.exe
58	568	wscript.exe
61	1304	wscript.exe
62	336	wscript.exe
64	568	wscript.exe
67	568	wscript.exe
68	1304	wscript.exe
69	336	wscript.exe
74	568	wscript.exe
76	1304	wscript.exe
77	336	wscript.exe
80	568	wscript.exe
82	568	wscript.exe
83	1304	wscript.exe
85	336	wscript.exe
86	568	wscript.exe
89	1304	wscript.exe
91	568	wscript.exe
92	336	wscript.exe
96	568	wscript.exe
98	1304	wscript.exe
100	336	wscript.exe
101	568	wscript.exe
104	568	wscript.exe
106	1304	wscript.exe
108	336	wscript.exe
109	568	wscript.exe
111	1304	wscript.exe
112	568	wscript.exe
117	336	wscript.exe
119	568	wscript.exe
121	1304	wscript.exe
122	336	wscript.exe
124	568	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitation#E62-359.pdf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitation#E62-359.pdf.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	67	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	80	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	96	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	21	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	37	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	51	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	112	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	109	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	124	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	18	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	42	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	74	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	58	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	91	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	104	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	56	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	86	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	101	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript
HTTP User-Agent header	119	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/1/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1504 wrote to memory of 1304	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 1304	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 1304	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 568	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 568	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 568	1504	wscript.exe	wscript.exe
PID 568 wrote to memory of 336	568	wscript.exe	wscript.exe
PID 568 wrote to memory of 336	568	wscript.exe	wscript.exe
PID 568 wrote to memory of 336	568	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Solicitation#E62-359.pdf.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1304

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Solicitation#E62-359.pdf.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitation#E62-359.pdf.js
Filesize
984KB

MD5
4e2d729e9c8329faf413b544c6e3e142

SHA1
a2e1e676ef6be73c851acbaf46b00eb8635fb875

SHA256
069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87

SHA512
24f0eeec9c97dbd77601c46bf2cd4ae02ebfc23f291367d1308a369df8b5f48794a11ec5720853e8507a1fa576d4b9164231ca65a4c7fa12fc7219d3ed86917f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js
Filesize
346KB

MD5
feb390b3400f155e4df8ddb4c2e6a121

SHA1
0c12b706f2b3b1a2db0a2693a8942e14176f56db

SHA256
ab755cf1ba6577b20e2a366910a2bfc9b20cd75c6ac0f4afacb5936e43598902

SHA512
abd24d26576fe88d013e90521d533b182cdcce0085e238d5312840747bd3d854abfc5c218c5ef4e6c8a14e35ba61ac45db8d05ec9a8f73eb7d711c901caa9b0a

Download Submit
C:\Users\Admin\AppData\Roaming\Solicitation#E62-359.pdf.js
Filesize
984KB

MD5
4e2d729e9c8329faf413b544c6e3e142

SHA1
a2e1e676ef6be73c851acbaf46b00eb8635fb875

SHA256
069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87

SHA512
24f0eeec9c97dbd77601c46bf2cd4ae02ebfc23f291367d1308a369df8b5f48794a11ec5720853e8507a1fa576d4b9164231ca65a4c7fa12fc7219d3ed86917f

Download Submit
C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.js
Filesize
346KB

MD5
feb390b3400f155e4df8ddb4c2e6a121

SHA1
0c12b706f2b3b1a2db0a2693a8942e14176f56db

SHA256
ab755cf1ba6577b20e2a366910a2bfc9b20cd75c6ac0f4afacb5936e43598902

SHA512
abd24d26576fe88d013e90521d533b182cdcce0085e238d5312840747bd3d854abfc5c218c5ef4e6c8a14e35ba61ac45db8d05ec9a8f73eb7d711c901caa9b0a

Download Submit
C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.js
Filesize
346KB

MD5
feb390b3400f155e4df8ddb4c2e6a121

SHA1
0c12b706f2b3b1a2db0a2693a8942e14176f56db

SHA256
ab755cf1ba6577b20e2a366910a2bfc9b20cd75c6ac0f4afacb5936e43598902

SHA512
abd24d26576fe88d013e90521d533b182cdcce0085e238d5312840747bd3d854abfc5c218c5ef4e6c8a14e35ba61ac45db8d05ec9a8f73eb7d711c901caa9b0a

Download Submit
memory/336-58-0x0000000000000000-mapping.dmp

Download
memory/568-56-0x0000000000000000-mapping.dmp

Download
memory/1304-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads