vjw0rm | e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

General

Target

tmp.exe
Size

542KB
MD5

30260b612d994b6c7e5ff1febcb9a157
SHA1

64d927347d0c0786527532d86949919c076321c1
SHA256

e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7
SHA512

8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5
SSDEEP

12288:UfIub9KMhn1PtO9yD34A81qsEh67FplSb2N8AF+IxOSEEmQiv0df8s/RcSklTWk:kIuYAJ4Ms/bh

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000130e0-56.dat	family_wshrat
behavioral1/files/0x00090000000132e1-66.dat	family_wshrat

Blocklisted process makes network request 7 IoCs

flow	pid	Process
2	868	wscript.exe
3	868	wscript.exe
9	1708	WScript.exe
14	1708	WScript.exe
17	1708	WScript.exe
22	1708	WScript.exe
25	1708	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\BN3XGO1HFO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 868	1524	tmp.exe	27
PID 1524 wrote to memory of 868	1524	tmp.exe	27
PID 1524 wrote to memory of 868	1524	tmp.exe	27
PID 1524 wrote to memory of 868	1524	tmp.exe	27
PID 868 wrote to memory of 1708	868	wscript.exe	28
PID 868 wrote to memory of 1708	868	wscript.exe	28
PID 868 wrote to memory of 1708	868	wscript.exe	28
PID 868 wrote to memory of 1708	868	wscript.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
memory/1524-54-0x0000000001370000-0x00000000013FC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing