Malware Analysis Report

2024-11-13 15:41

Sample ID 230328-hvy35she52
Target AWB#00756543.pdf.js
SHA256 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd

Threat Level: Known bad

The file AWB#00756543.pdf.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-28 07:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-28 07:04

Reported

2023-03-28 07:06

Platform

win7-20230220-en

Max time kernel

149s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB#00756543.pdf.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB#00756543 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#00756543.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWB#00756543 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#00756543.pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1712 wrote to memory of 324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1712 wrote to memory of 324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB#00756543.pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 rookfellas.mrbasic.com udp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js

MD5 4e08cafb44979a23ed156eb84253251f
SHA1 f5b099091b50cae50afc3c857aaa52c74a73ed8d
SHA256 f99e8a6ec4548cb1b24be2e2179926d113d17a1645f95f95211bcded86c3a9df
SHA512 24a4dc0f1526a21585b12a33caddce44b2f4bd0de55c2ae32ada292dab022cd2070eefd3955f6b4b2e70955caafdf6bba96add5a1d2b7d17189f9d32848a9235

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js

MD5 7bfa30c168b4a5dda79908ba88afb1f4
SHA1 5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5
SHA256 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
SHA512 0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-28 07:04

Reported

2023-03-28 07:06

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB#00756543.pdf.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB#00756543 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#00756543.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB#00756543 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#00756543.pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 4128 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4916 wrote to memory of 4128 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB#00756543.pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 rookfellas.mrbasic.com udp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.32.42.193.in-addr.arpa udp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 20.189.173.9:443 tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
EE 91.193.75.131:5449 javaautorun.duia.ro tcp
BG 193.42.32.233:9202 rookfellas.mrbasic.com tcp

Files

C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js

MD5 4e08cafb44979a23ed156eb84253251f
SHA1 f5b099091b50cae50afc3c857aaa52c74a73ed8d
SHA256 f99e8a6ec4548cb1b24be2e2179926d113d17a1645f95f95211bcded86c3a9df
SHA512 24a4dc0f1526a21585b12a33caddce44b2f4bd0de55c2ae32ada292dab022cd2070eefd3955f6b4b2e70955caafdf6bba96add5a1d2b7d17189f9d32848a9235

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js

MD5 7bfa30c168b4a5dda79908ba88afb1f4
SHA1 5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5
SHA256 2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
SHA512 0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca