vjw0rm | 1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

OrderPO22170555823612pg.js
Size

3.5MB
MD5

67d595a490ca50d4616e9aba4fb4bfe9
SHA1

b383bffa308581381d6f4b97974b37c002bf323b
SHA256

1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec
SHA512

e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4
SSDEEP

24576:I5iGHLJMwn013Jk0567dGoDOlYGG/FKSfuG6eGL1X8wZJtDWWqHow8U1MN2YucKR:Vq

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://141.98.6.239:5000

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 55 IoCs

flow	pid	Process
9	1276	wscript.exe
10	1580	wscript.exe
11	692	wscript.exe
13	692	wscript.exe
15	1580	wscript.exe
16	1276	wscript.exe
18	692	wscript.exe
20	692	wscript.exe
22	1580	wscript.exe
24	1276	wscript.exe
28	692	wscript.exe
30	1580	wscript.exe
32	1276	wscript.exe
33	692	wscript.exe
36	692	wscript.exe
38	1580	wscript.exe
40	1276	wscript.exe
41	692	wscript.exe
43	692	wscript.exe
46	1276	wscript.exe
48	1580	wscript.exe
51	692	wscript.exe
53	1276	wscript.exe
54	1580	wscript.exe
56	692	wscript.exe
58	692	wscript.exe
61	1276	wscript.exe
63	1580	wscript.exe
64	692	wscript.exe
66	692	wscript.exe
68	1580	wscript.exe
70	1276	wscript.exe
74	692	wscript.exe
76	1276	wscript.exe
77	1580	wscript.exe
79	692	wscript.exe
81	692	wscript.exe
83	1276	wscript.exe
84	1580	wscript.exe
86	692	wscript.exe
89	1276	wscript.exe
90	1580	wscript.exe
92	692	wscript.exe
96	692	wscript.exe
98	1276	wscript.exe
99	1580	wscript.exe
102	692	wscript.exe
105	692	wscript.exe
107	1580	wscript.exe
108	1276	wscript.exe
109	692	wscript.exe
111	1580	wscript.exe
113	1276	wscript.exe
115	692	wscript.exe
119	692	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	66	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	74	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	81	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	105	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	109	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	18	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	36	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	58	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	119	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	41	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	51	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	56	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	79	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	28	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	96	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	102	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	115	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	20	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	43	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	86	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	92	WSHRAT\|F4C6D0E0\|WFSTZEPN\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/5/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1580	1284	wscript.exe	28
PID 1284 wrote to memory of 1580	1284	wscript.exe	28
PID 1284 wrote to memory of 1580	1284	wscript.exe	28
PID 1284 wrote to memory of 692	1284	wscript.exe	29
PID 1284 wrote to memory of 692	1284	wscript.exe	29
PID 1284 wrote to memory of 692	1284	wscript.exe	29
PID 692 wrote to memory of 1276	692	wscript.exe	31
PID 692 wrote to memory of 1276	692	wscript.exe	31
PID 692 wrote to memory of 1276	692	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\OrderPO22170555823612pg.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1580
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrderPO22170555823612pg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js

Filesize
3.5MB

MD5
67d595a490ca50d4616e9aba4fb4bfe9

SHA1
b383bffa308581381d6f4b97974b37c002bf323b

SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js

Filesize
3.5MB

MD5
67d595a490ca50d4616e9aba4fb4bfe9

SHA1
b383bffa308581381d6f4b97974b37c002bf323b

SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js

Filesize
346KB

MD5
e6e138e2c6457ac217a18f799fa69609

SHA1
747f2edb469aa1170943a6312beae93d97880a28

SHA256
fc261d926160514513619eb154e215b61044bc0f5ba8dcd1b9e823ff4853882c

SHA512
d8ca56a63f6118547b47f1c551d72ed7fad76b1249306e7eaa6798b5aad2bc6bf6a6f61d4c035d8632a5c5177d4eb1a889988bb40ca2c59e3b2cff859a36c81e

Download Submit
C:\Users\Admin\AppData\Roaming\OrderPO22170555823612pg.js

Filesize
3.5MB

MD5
67d595a490ca50d4616e9aba4fb4bfe9

SHA1
b383bffa308581381d6f4b97974b37c002bf323b

SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4

Download Submit
C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js

Filesize
346KB

MD5
e6e138e2c6457ac217a18f799fa69609

SHA1
747f2edb469aa1170943a6312beae93d97880a28

SHA256
fc261d926160514513619eb154e215b61044bc0f5ba8dcd1b9e823ff4853882c

SHA512
d8ca56a63f6118547b47f1c551d72ed7fad76b1249306e7eaa6798b5aad2bc6bf6a6f61d4c035d8632a5c5177d4eb1a889988bb40ca2c59e3b2cff859a36c81e

Download Submit
C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js

Filesize
346KB

MD5
e6e138e2c6457ac217a18f799fa69609

SHA1
747f2edb469aa1170943a6312beae93d97880a28

SHA256
fc261d926160514513619eb154e215b61044bc0f5ba8dcd1b9e823ff4853882c

SHA512
d8ca56a63f6118547b47f1c551d72ed7fad76b1249306e7eaa6798b5aad2bc6bf6a6f61d4c035d8632a5c5177d4eb1a889988bb40ca2c59e3b2cff859a36c81e

Download Submit