Malware Analysis Report

2024-11-13 15:41

Sample ID 230328-h6gcgabd3y
Target 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
SHA256 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd

Threat Level: Known bad

The file 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-28 07:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-28 07:20

Reported

2023-03-28 07:23

Platform

win7-20230220-en

Max time kernel

150s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1084 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1084 wrote to memory of 1120 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rookfellas.mrbasic.com udp
US 8.8.8.8:53 javaautorun.duia.ro udp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 tcp

Files

C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js

MD5 4e08cafb44979a23ed156eb84253251f
SHA1 f5b099091b50cae50afc3c857aaa52c74a73ed8d
SHA256 f99e8a6ec4548cb1b24be2e2179926d113d17a1645f95f95211bcded86c3a9df
SHA512 24a4dc0f1526a21585b12a33caddce44b2f4bd0de55c2ae32ada292dab022cd2070eefd3955f6b4b2e70955caafdf6bba96add5a1d2b7d17189f9d32848a9235

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

MD5 7bfa30c168b4a5dda79908ba88afb1f4
SHA1 5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5
SHA256 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
SHA512 0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-28 07:20

Reported

2023-03-28 07:23

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|10B1D74F|TLGENAJY|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|10B1D74F|TLGENAJY|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|10B1D74F|TLGENAJY|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|10B1D74F|TLGENAJY|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|10B1D74F|TLGENAJY|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|10B1D74F|TLGENAJY|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 3340 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3708 wrote to memory of 3340 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 javaautorun.duia.ro udp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rookfellas.mrbasic.com udp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
US 8.8.8.8:53 233.32.42.193.in-addr.arpa udp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
US 20.44.10.122:443 tcp
US 52.152.110.14:443 tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
US 52.152.110.14:443 tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
US 52.152.110.14:443 tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
US 52.152.110.14:443 tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js

MD5 4e08cafb44979a23ed156eb84253251f
SHA1 f5b099091b50cae50afc3c857aaa52c74a73ed8d
SHA256 f99e8a6ec4548cb1b24be2e2179926d113d17a1645f95f95211bcded86c3a9df
SHA512 24a4dc0f1526a21585b12a33caddce44b2f4bd0de55c2ae32ada292dab022cd2070eefd3955f6b4b2e70955caafdf6bba96add5a1d2b7d17189f9d32848a9235

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd.js

MD5 7bfa30c168b4a5dda79908ba88afb1f4
SHA1 5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5
SHA256 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
SHA512 0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca