vjw0rm | 723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f

General

Target

3e1b30de-f946-42cd-85a4-cc60c6337553.js
Size

994KB
MD5

3e24fff43158556e25533e4b9ad50ffa
SHA1

0f681b9867dd9d2db193ffe668c6e401a95aa089
SHA256

723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
SHA512

0ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
SSDEEP

6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8bubfQI+IGBYJje:eQ3B7qgpUbfo7

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://oyo.powrkenken.info:46077

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 55 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
10	1120	wscript.exe
11	328	wscript.exe
12	556	wscript.exe
13	556	wscript.exe
15	328	wscript.exe
17	1120	wscript.exe
19	556	wscript.exe
20	1120	wscript.exe
21	328	wscript.exe
23	556	wscript.exe
29	556	wscript.exe
32	328	wscript.exe
33	1120	wscript.exe
34	556	wscript.exe
36	1120	wscript.exe
38	328	wscript.exe
39	556	wscript.exe
42	556	wscript.exe
44	1120	wscript.exe
46	328	wscript.exe
49	556	wscript.exe
51	328	wscript.exe
53	1120	wscript.exe
54	556	wscript.exe
58	556	wscript.exe
59	328	wscript.exe
61	1120	wscript.exe
62	556	wscript.exe
65	328	wscript.exe
66	1120	wscript.exe
68	556	wscript.exe
72	556	wscript.exe
74	1120	wscript.exe
76	328	wscript.exe
77	556	wscript.exe
79	328	wscript.exe
81	1120	wscript.exe
82	556	wscript.exe
85	556	wscript.exe
87	328	wscript.exe
89	1120	wscript.exe
92	556	wscript.exe
94	328	wscript.exe
96	1120	wscript.exe
98	556	wscript.exe
101	556	wscript.exe
103	328	wscript.exe
104	1120	wscript.exe
105	556	wscript.exe
108	328	wscript.exe
109	556	wscript.exe
111	1120	wscript.exe
115	556	wscript.exe
117	328	wscript.exe
119	1120	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 23 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	109	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	49	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	54	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	68	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	101	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	105	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	23	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	39	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	42	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	92	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	12	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	85	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	98	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	77	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	115	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	19	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	58	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	62	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript
HTTP User-Agent header	72	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 31/1/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1464 wrote to memory of 1120	1464	wscript.exe	wscript.exe
PID 1464 wrote to memory of 1120	1464	wscript.exe	wscript.exe
PID 1464 wrote to memory of 1120	1464	wscript.exe	wscript.exe
PID 1464 wrote to memory of 556	1464	wscript.exe	wscript.exe
PID 1464 wrote to memory of 556	1464	wscript.exe	wscript.exe
PID 1464 wrote to memory of 556	1464	wscript.exe	wscript.exe
PID 556 wrote to memory of 328	556	wscript.exe	wscript.exe
PID 556 wrote to memory of 328	556	wscript.exe	wscript.exe
PID 556 wrote to memory of 328	556	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3e1b30de-f946-42cd-85a4-cc60c6337553.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pBCXlynutq.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1120

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\3e1b30de-f946-42cd-85a4-cc60c6337553.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pBCXlynutq.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3e1b30de-f946-42cd-85a4-cc60c6337553.js
Filesize
994KB

MD5
3e24fff43158556e25533e4b9ad50ffa

SHA1
0f681b9867dd9d2db193ffe668c6e401a95aa089

SHA256
723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f

SHA512
0ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js
Filesize
994KB

MD5
3e24fff43158556e25533e4b9ad50ffa

SHA1
0f681b9867dd9d2db193ffe668c6e401a95aa089

SHA256
723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f

SHA512
0ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js
Filesize
346KB

MD5
332f3d9969e8d9eb6affc2082767c7a9

SHA1
b1b5a15f54cf685f8447a28df41aa27924f296fb

SHA256
9417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491

SHA512
9333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3

Download Submit
C:\Users\Admin\AppData\Roaming\pBCXlynutq.js
Filesize
346KB

MD5
332f3d9969e8d9eb6affc2082767c7a9

SHA1
b1b5a15f54cf685f8447a28df41aa27924f296fb

SHA256
9417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491

SHA512
9333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3

Download Submit
C:\Users\Admin\AppData\Roaming\pBCXlynutq.js
Filesize
346KB

MD5
332f3d9969e8d9eb6affc2082767c7a9

SHA1
b1b5a15f54cf685f8447a28df41aa27924f296fb

SHA256
9417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491

SHA512
9333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3

Download Submit
memory/328-58-0x0000000000000000-mapping.dmp

Download
memory/556-56-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads