Overview

overview

10

Static

static

1

2141c93c89...efd.js

windows7-x64

10

2141c93c89...efd.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

  • Size

    3.6MB

  • MD5

    7bfa30c168b4a5dda79908ba88afb1f4

  • SHA1

    5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5

  • SHA256

    2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd

  • SHA512

    0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca

  • SSDEEP

    24576:3KbnF5Tsf5pjWDTxVMSTZ2g1oecJ6ZFRUS8jBZv8LlSiKSmCz+nOig2gy4dR6xqT:ixX

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://rookfellas.mrbasic.com:9202

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 22 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js
    Filesize

    3.6MB

    MD5

    7bfa30c168b4a5dda79908ba88afb1f4

    SHA1

    5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5

    SHA256

    2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd

    SHA512

    0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca

    Download Submit
  • C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js
    Filesize

    346KB

    MD5

    4e08cafb44979a23ed156eb84253251f

    SHA1

    f5b099091b50cae50afc3c857aaa52c74a73ed8d

    SHA256

    f99e8a6ec4548cb1b24be2e2179926d113d17a1645f95f95211bcded86c3a9df

    SHA512

    24a4dc0f1526a21585b12a33caddce44b2f4bd0de55c2ae32ada292dab022cd2070eefd3955f6b4b2e70955caafdf6bba96add5a1d2b7d17189f9d32848a9235

    Download Submit