vjw0rm | 1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OrderPO22170555823612pg.js
Size

3.5MB
MD5

67d595a490ca50d4616e9aba4fb4bfe9
SHA1

b383bffa308581381d6f4b97974b37c002bf323b
SHA256

1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec
SHA512

e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4
SSDEEP

24576:I5iGHLJMwn013Jk0567dGoDOlYGG/FKSfuG6eGL1X8wZJtDWWqHow8U1MN2YucKR:Vq

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://141.98.6.239:5000

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 61 IoCs

flow	pid	Process
23	3540	wscript.exe
26	640	wscript.exe
27	3388	wscript.exe
29	640	wscript.exe
30	3540	wscript.exe
36	3388	wscript.exe
37	640	wscript.exe
39	640	wscript.exe
41	3540	wscript.exe
42	3388	wscript.exe
44	640	wscript.exe
46	640	wscript.exe
47	3540	wscript.exe
48	3388	wscript.exe
49	640	wscript.exe
51	3540	wscript.exe
52	640	wscript.exe
53	3388	wscript.exe
59	640	wscript.exe
61	3540	wscript.exe
62	640	wscript.exe
63	3388	wscript.exe
67	640	wscript.exe
68	3540	wscript.exe
70	640	wscript.exe
71	3388	wscript.exe
73	640	wscript.exe
74	3540	wscript.exe
76	3388	wscript.exe
78	640	wscript.exe
79	640	wscript.exe
80	3540	wscript.exe
81	3388	wscript.exe
82	640	wscript.exe
83	640	wscript.exe
84	3540	wscript.exe
85	3388	wscript.exe
86	640	wscript.exe
88	640	wscript.exe
89	3540	wscript.exe
90	3388	wscript.exe
91	640	wscript.exe
92	3540	wscript.exe
93	640	wscript.exe
94	3388	wscript.exe
95	640	wscript.exe
97	3540	wscript.exe
98	640	wscript.exe
99	3388	wscript.exe
100	640	wscript.exe
101	3540	wscript.exe
102	3388	wscript.exe
103	640	wscript.exe
104	640	wscript.exe
106	3540	wscript.exe
107	3388	wscript.exe
108	640	wscript.exe
109	640	wscript.exe
110	3540	wscript.exe
111	3388	wscript.exe
112	640	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrderPO22170555823612pg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OrderPO22170555823612pg.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 29 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	26	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	59	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	79	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	100	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	108	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	39	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	62	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	104	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	37	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	88	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	98	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	103	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	49	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	52	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	70	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	73	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	91	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	78	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	109	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	86	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	95	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	112	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	67	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	83	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript
HTTP User-Agent header	93	WSHRAT\|78F0674A\|HCIDPJOT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/5/2023\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3540	4940	wscript.exe	83
PID 4940 wrote to memory of 3540	4940	wscript.exe	83
PID 4940 wrote to memory of 640	4940	wscript.exe	84
PID 4940 wrote to memory of 640	4940	wscript.exe	84
PID 640 wrote to memory of 3388	640	wscript.exe	85
PID 640 wrote to memory of 3388	640	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\OrderPO22170555823612pg.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3540
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrderPO22170555823612pg.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:3388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js

Filesize
3.5MB

MD5
67d595a490ca50d4616e9aba4fb4bfe9

SHA1
b383bffa308581381d6f4b97974b37c002bf323b

SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrderPO22170555823612pg.js

Filesize
3.5MB

MD5
67d595a490ca50d4616e9aba4fb4bfe9

SHA1
b383bffa308581381d6f4b97974b37c002bf323b

SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aSBEeGzSsf.js

Filesize
346KB

MD5
e6e138e2c6457ac217a18f799fa69609

SHA1
747f2edb469aa1170943a6312beae93d97880a28

SHA256
fc261d926160514513619eb154e215b61044bc0f5ba8dcd1b9e823ff4853882c

SHA512
d8ca56a63f6118547b47f1c551d72ed7fad76b1249306e7eaa6798b5aad2bc6bf6a6f61d4c035d8632a5c5177d4eb1a889988bb40ca2c59e3b2cff859a36c81e

Download Submit
C:\Users\Admin\AppData\Roaming\OrderPO22170555823612pg.js

Filesize
3.5MB

MD5
67d595a490ca50d4616e9aba4fb4bfe9

SHA1
b383bffa308581381d6f4b97974b37c002bf323b

SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec

SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4

Download Submit
C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js

Filesize
346KB

MD5
e6e138e2c6457ac217a18f799fa69609

SHA1
747f2edb469aa1170943a6312beae93d97880a28

SHA256
fc261d926160514513619eb154e215b61044bc0f5ba8dcd1b9e823ff4853882c

SHA512
d8ca56a63f6118547b47f1c551d72ed7fad76b1249306e7eaa6798b5aad2bc6bf6a6f61d4c035d8632a5c5177d4eb1a889988bb40ca2c59e3b2cff859a36c81e

Download Submit
C:\Users\Admin\AppData\Roaming\aSBEeGzSsf.js

Filesize
346KB

MD5
e6e138e2c6457ac217a18f799fa69609

SHA1
747f2edb469aa1170943a6312beae93d97880a28

SHA256
fc261d926160514513619eb154e215b61044bc0f5ba8dcd1b9e823ff4853882c

SHA512
d8ca56a63f6118547b47f1c551d72ed7fad76b1249306e7eaa6798b5aad2bc6bf6a6f61d4c035d8632a5c5177d4eb1a889988bb40ca2c59e3b2cff859a36c81e

Download Submit