Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-02-2023 18:10
General
-
Target
a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js
-
Size
285KB
-
MD5
eeacf758acc21133811bce63aa477ee7
-
SHA1
d2ed9bfbfb8dd47ac3120efc757f43adf3ce3dbf
-
SHA256
a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce
-
SHA512
fb97ce1cb831f48f5612976f8401d3eabd580ffb16375f24f53139cc3991a55028fe2a7668024c572b3a08f6e4ef4eca55bca974e07223e5b28901e650ff78b1
-
SSDEEP
6144:7DrOg9pEJX1WPNSrV8iLgENxGVc+2dfpMAZL6sXZ7lorHawkkt:7DrOrJXAPGZxGVsl6mlsNt
Malware Config
Extracted
wshrat
http://auto.stevenpartners.com:23015
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 43 IoCs
-
Drops startup file 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 26 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exePID:1992wscript.exe C:\Users\Admin\AppData\Local\Temp\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.jsBlocklisted process makes network requestDrops startup fileAdds Run key to start applicationSuspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exePID:1220"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GBnMAOQmgU.js"Blocklisted process makes network requestDrops startup file
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Modify Registry
1Discovery
System Information Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Registry Run Keys / Startup Folder
1Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\AppData\Roaming\GBnMAOQmgU.jsFilesize
17KB
MD54b4e4b65289e3c8364ea3bd6b0255e60
SHA1cc999970a2ca2b76d8dd1c5c7014b7f45ac81d68
SHA256175abae400a769ab8d257f8406c05e25c0c524f55fd3bdc674da1ac0835dea83
SHA512980fc019525812ff47354cee484280d0a64c3cf9d85052f35262d57f464ee444c335d9299a8ce8ac5f28d5cd20fa6ab70871531ba89251588d56c8c27d1e30f8
-
memory/1220-55-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmpFilesize
8KB