vjw0rm | b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b

General

Target

c159fc653a86ef3eab80e5d06b9cfa2c.exe
Size

541KB
MD5

c159fc653a86ef3eab80e5d06b9cfa2c
SHA1

f95b35bcd8528dafda2b8fd53bed2bab150676e3
SHA256

b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b
SHA512

78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2
SSDEEP

12288:lBXSh9d55EWf6bkHXgtQZDsfDfWXWBt9ExkUp8ZbcoahOOufKlgc+ABeaESJAzEM:7QZQz8Du4

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://vj5566.duckdns.org:5566

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x002000000000f683-56.dat	family_wshrat
behavioral1/files/0x000a000000013a09-60.dat	family_wshrat
behavioral1/files/0x0009000000013a47-61.dat	family_wshrat
behavioral1/files/0x0009000000013a47-62.dat	family_wshrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	2036	wscript.exe
3	2036	wscript.exe
5	336	wscript.exe
6	336	wscript.exe
12	1148	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js	WScript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\BXBCC2V24Z = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2036	1100	c159fc653a86ef3eab80e5d06b9cfa2c.exe	26
PID 1100 wrote to memory of 2036	1100	c159fc653a86ef3eab80e5d06b9cfa2c.exe	26
PID 1100 wrote to memory of 2036	1100	c159fc653a86ef3eab80e5d06b9cfa2c.exe	26
PID 1100 wrote to memory of 2036	1100	c159fc653a86ef3eab80e5d06b9cfa2c.exe	26
PID 2036 wrote to memory of 336	2036	wscript.exe	27
PID 2036 wrote to memory of 336	2036	wscript.exe	27
PID 2036 wrote to memory of 336	2036	wscript.exe	27
PID 2036 wrote to memory of 336	2036	wscript.exe	27
PID 336 wrote to memory of 1148	336	wscript.exe	28
PID 336 wrote to memory of 1148	336	wscript.exe	28
PID 336 wrote to memory of 1148	336	wscript.exe	28
PID 336 wrote to memory of 1148	336	wscript.exe	28

C:\Users\Admin\AppData\Local\Temp\c159fc653a86ef3eab80e5d06b9cfa2c.exe
"C:\Users\Admin\AppData\Local\Temp\c159fc653a86ef3eab80e5d06b9cfa2c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lRDdN.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\lRDdN.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\windows.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit
C:\Users\Admin\AppData\Roaming\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit
memory/1100-54-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing