vjw0rm | 5b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7

General

Target

RFQ -F7 AIRCRAFT.js
Size

5.5MB
MD5

5f8b36eb5344031a80d596979dfa752c
SHA1

d9490cf67b33b741237efc63ff56e1b0d8ea36a8
SHA256

5b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
SHA512

7fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
SSDEEP

6144:K41FAmzRqqfadNrdpM66w8yZKTnDC/K3jKkAw41Ue/3tzs/BXACA+HxZjD3I/SVc:/dLyNrdaMvk46efBs5wCxBDTDVCg3vb8

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 57 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
9	992	wscript.exe
10	980	wscript.exe
11	1508	wscript.exe
12	1508	wscript.exe
15	980	wscript.exe
16	992	wscript.exe
17	1508	wscript.exe
20	1508	wscript.exe
23	980	wscript.exe
24	992	wscript.exe
28	1508	wscript.exe
30	980	wscript.exe
32	992	wscript.exe
33	1508	wscript.exe
36	1508	wscript.exe
39	980	wscript.exe
40	992	wscript.exe
41	1508	wscript.exe
43	980	wscript.exe
46	1508	wscript.exe
48	992	wscript.exe
51	1508	wscript.exe
53	992	wscript.exe
54	980	wscript.exe
57	1508	wscript.exe
59	1508	wscript.exe
61	992	wscript.exe
62	980	wscript.exe
64	1508	wscript.exe
66	992	wscript.exe
68	980	wscript.exe
69	1508	wscript.exe
73	1508	wscript.exe
76	980	wscript.exe
78	992	wscript.exe
79	1508	wscript.exe
81	1508	wscript.exe
83	992	wscript.exe
84	980	wscript.exe
86	1508	wscript.exe
89	992	wscript.exe
90	980	wscript.exe
93	1508	wscript.exe
96	1508	wscript.exe
98	992	wscript.exe
99	980	wscript.exe
101	1508	wscript.exe
104	1508	wscript.exe
106	992	wscript.exe
108	980	wscript.exe
109	1508	wscript.exe
111	992	wscript.exe
113	980	wscript.exe
115	1508	wscript.exe
119	1508	wscript.exe
121	992	wscript.exe
122	980	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	20	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	51	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	59	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	69	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	119	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	17	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	12	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	41	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	73	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	96	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	101	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	115	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	36	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	79	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	109	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	28	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	81	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	86	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	93	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	104	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript
HTTP User-Agent header	57	WSHRAT\|DC37C744\|SABDUHNY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/2/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1112 wrote to memory of 980	1112	wscript.exe	wscript.exe
PID 1112 wrote to memory of 980	1112	wscript.exe	wscript.exe
PID 1112 wrote to memory of 980	1112	wscript.exe	wscript.exe
PID 1112 wrote to memory of 1508	1112	wscript.exe	wscript.exe
PID 1112 wrote to memory of 1508	1112	wscript.exe	wscript.exe
PID 1112 wrote to memory of 1508	1112	wscript.exe	wscript.exe
PID 1508 wrote to memory of 992	1508	wscript.exe	wscript.exe
PID 1508 wrote to memory of 992	1508	wscript.exe	wscript.exe
PID 1508 wrote to memory of 992	1508	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ -F7 AIRCRAFT.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:980

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ -F7 AIRCRAFT.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js
Filesize
346KB

MD5
f84df0a06b9da5301c5f2e22dfbf7b4a

SHA1
e1b5db7ad5a714e7df7c35448530de01880a69ed

SHA256
61a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e

SHA512
e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js
Filesize
5.5MB

MD5
5f8b36eb5344031a80d596979dfa752c

SHA1
d9490cf67b33b741237efc63ff56e1b0d8ea36a8

SHA256
5b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7

SHA512
7fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a

Download Submit
C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js
Filesize
346KB

MD5
f84df0a06b9da5301c5f2e22dfbf7b4a

SHA1
e1b5db7ad5a714e7df7c35448530de01880a69ed

SHA256
61a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e

SHA512
e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd

Download Submit
C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js
Filesize
346KB

MD5
f84df0a06b9da5301c5f2e22dfbf7b4a

SHA1
e1b5db7ad5a714e7df7c35448530de01880a69ed

SHA256
61a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e

SHA512
e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd

Download Submit
C:\Users\Admin\AppData\Roaming\RFQ -F7 AIRCRAFT.js
Filesize
5.5MB

MD5
5f8b36eb5344031a80d596979dfa752c

SHA1
d9490cf67b33b741237efc63ff56e1b0d8ea36a8

SHA256
5b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7

SHA512
7fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a

Download Submit
memory/980-54-0x0000000000000000-mapping.dmp

Download
memory/992-58-0x0000000000000000-mapping.dmp

Download
memory/1508-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads