Behavioral Report

Analysis

max time kernel
156s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js
Size

285KB
MD5

eeacf758acc21133811bce63aa477ee7
SHA1

d2ed9bfbfb8dd47ac3120efc757f43adf3ce3dbf
SHA256

a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce
SHA512

fb97ce1cb831f48f5612976f8401d3eabd580ffb16375f24f53139cc3991a55028fe2a7668024c572b3a08f6e4ef4eca55bca974e07223e5b28901e650ff78b1
SSDEEP

6144:7DrOg9pEJX1WPNSrV8iLgENxGVc+2dfpMAZL6sXZ7lorHawkkt:7DrOrJXAPGZxGVsl6mlsNt

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://auto.stevenpartners.com:23015

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 43 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
12	4832	wscript.exe
13	1748	wscript.exe
15	4832	wscript.exe
31	4832	wscript.exe
32	1748	wscript.exe
35	4832	wscript.exe
46	1748	wscript.exe
54	4832	wscript.exe
75	4832	wscript.exe
86	1748	wscript.exe
100	4832	wscript.exe
101	4832	wscript.exe
102	1748	wscript.exe
105	4832	wscript.exe
106	1748	wscript.exe
107	4832	wscript.exe
108	4832	wscript.exe
109	1748	wscript.exe
113	4832	wscript.exe
114	4832	wscript.exe
115	1748	wscript.exe
116	4832	wscript.exe
117	1748	wscript.exe
118	4832	wscript.exe
119	4832	wscript.exe
120	1748	wscript.exe
121	4832	wscript.exe
122	4832	wscript.exe
123	1748	wscript.exe
124	4832	wscript.exe
125	1748	wscript.exe
126	4832	wscript.exe
127	4832	wscript.exe
128	1748	wscript.exe
129	4832	wscript.exe
130	4832	wscript.exe
131	1748	wscript.exe
132	4832	wscript.exe
133	1748	wscript.exe
134	4832	wscript.exe
135	4832	wscript.exe
136	1748	wscript.exe
137	4832	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GBnMAOQmgU.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GBnMAOQmgU.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

flow	ioc
10	ip-api.com

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	113	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	114	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	116	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	118	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	121	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	127	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	15	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	31	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	134	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	126	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	122	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	124	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	75	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	100	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	105	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	107	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	108	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	119	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	35	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	54	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	132	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	135	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	129	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	130	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	101	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	137	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/2/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4832 wrote to memory of 1748	4832	wscript.exe	wscript.exe
PID 4832 wrote to memory of 1748	4832	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce.js

Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Suspicious use of WriteProcessMemory

PID:4832

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GBnMAOQmgU.js"

Blocklisted process makes network request
Drops startup file

PID:1748

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Roaming\GBnMAOQmgU.js
Filesize
17KB

MD5
4b4e4b65289e3c8364ea3bd6b0255e60

SHA1
cc999970a2ca2b76d8dd1c5c7014b7f45ac81d68

SHA256
175abae400a769ab8d257f8406c05e25c0c524f55fd3bdc674da1ac0835dea83

SHA512
980fc019525812ff47354cee484280d0a64c3cf9d85052f35262d57f464ee444c335d9299a8ce8ac5f28d5cd20fa6ab70871531ba89251588d56c8c27d1e30f8

Download Submit
memory/1748-132-0x0000000000000000-mapping.dmp

Download