vjw0rm | e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

General

Target

30260b612d994b6c7e5ff1febcb9a157.exe
Size

542KB
MD5

30260b612d994b6c7e5ff1febcb9a157
SHA1

64d927347d0c0786527532d86949919c076321c1
SHA256

e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7
SHA512

8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5
SSDEEP

12288:UfIub9KMhn1PtO9yD34A81qsEh67FplSb2N8AF+IxOSEEmQiv0df8s/RcSklTWk:kIuYAJ4Ms/bh

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://vj7974.duckdns.org:7974

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\JoGjo.vbs	family_wshrat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs	family_wshrat

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exeWScript.exe

flow pid process

2 1956 wscript.exe
3 1956 wscript.exe
9 1172 WScript.exe

flow	pid	process
2	1956	wscript.exe
3	1956	wscript.exe
9	1172	WScript.exe

Drops startup file 3 IoCs

Processes:

wscript.exeWScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\BN3XGO1HFO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.js\""	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

30260b612d994b6c7e5ff1febcb9a157.exewscript.exe

description	pid	process	target process
PID 2000 wrote to memory of 1956	2000	30260b612d994b6c7e5ff1febcb9a157.exe	wscript.exe
PID 2000 wrote to memory of 1956	2000	30260b612d994b6c7e5ff1febcb9a157.exe	wscript.exe
PID 2000 wrote to memory of 1956	2000	30260b612d994b6c7e5ff1febcb9a157.exe	wscript.exe
PID 2000 wrote to memory of 1956	2000	30260b612d994b6c7e5ff1febcb9a157.exe	wscript.exe
PID 1956 wrote to memory of 1172	1956	wscript.exe	WScript.exe
PID 1956 wrote to memory of 1172	1956	wscript.exe	WScript.exe
PID 1956 wrote to memory of 1172	1956	wscript.exe	WScript.exe
PID 1956 wrote to memory of 1172	1956	wscript.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\30260b612d994b6c7e5ff1febcb9a157.exe
"C:\Users\Admin\AppData\Local\Temp\30260b612d994b6c7e5ff1febcb9a157.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JoGjo.vbs
Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs
Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js
Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js
Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
memory/2000-54-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads