vjw0rm | de852e1b1e43123cddc6cbe268aa7ab3785f8fa025827e71f2ba003fd4fae221

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

old outstanding .PDF.js
Size

3.4MB
MD5

f8ddd3aaf61755a6c98ec2c29972175c
SHA1

1ddd1757ef6be65c231dc383369b84773544a6da
SHA256

344b8c7c7c4467f18c9b43447efafad8ac795c25b006465aeb1bd6097b50abb7
SHA512

a6ebf3d3ffa5c749f2ea2dc5eb90a7a355b8dcc1cf5b7b48cfdbc291b8f5f6df560ffcd59a6242583e64d0795ba034ad7aea2b68039b98b9b50259305e13e1c9
SSDEEP

24576:zw3cOiE9u9QbpAW0MP074JExjtKTs7JRkWgGgbR4L3lN2bpxjkn1vrFWuYLasHfy:E0j

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

http://84.21.172.33:8895

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 38 IoCs

flow	pid	Process
6	916	wscript.exe
7	2024	wscript.exe
8	2024	wscript.exe
9	916	wscript.exe
11	2024	wscript.exe
14	916	wscript.exe
15	2024	wscript.exe
18	2024	wscript.exe
19	916	wscript.exe
21	2024	wscript.exe
23	916	wscript.exe
25	2024	wscript.exe
26	916	wscript.exe
28	2024	wscript.exe
30	2024	wscript.exe
33	916	wscript.exe
34	2024	wscript.exe
36	916	wscript.exe
37	2024	wscript.exe
38	2024	wscript.exe
41	916	wscript.exe
43	2024	wscript.exe
45	916	wscript.exe
46	2024	wscript.exe
47	2024	wscript.exe
50	916	wscript.exe
51	2024	wscript.exe
53	916	wscript.exe
55	2024	wscript.exe
56	2024	wscript.exe
57	916	wscript.exe
60	2024	wscript.exe
62	916	wscript.exe
63	2024	wscript.exe
64	2024	wscript.exe
67	916	wscript.exe
69	2024	wscript.exe
71	916	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JbhvVxjFLu.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JbhvVxjFLu.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\old outstanding .PDF.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\old outstanding .PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\old outstanding = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\old outstanding .PDF.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\old outstanding = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\old outstanding .PDF.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 22 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	37	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	47	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	8	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	25	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	30	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	28	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	69	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	21	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	38	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	51	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	18	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	43	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	55	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	56	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	60	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	7	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	15	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript
HTTP User-Agent header	63	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 916	2024	wscript.exe	27
PID 2024 wrote to memory of 916	2024	wscript.exe	27
PID 2024 wrote to memory of 916	2024	wscript.exe	27

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\old outstanding .PDF.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JbhvVxjFLu.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JbhvVxjFLu.js

Filesize
346KB

MD5
094b69598513ca6dad4609a1a622c665

SHA1
44fbd36b3c2eec31e3424d7ec5d93d50721e7d13

SHA256
f50dc6f0205c3d62f02ef2df694a1bb468b110efc83b38236747d1b40c3cbc33

SHA512
558b6ae3466c0ca2eee60665acb41f3ab9deacd7898cfd2404ed726f47990d188ba3eec429cba91aeed9d87a4b37d17be78801009ecb42d4c8dadd2f017fed67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\old outstanding .PDF.js

Filesize
3.4MB

MD5
f8ddd3aaf61755a6c98ec2c29972175c

SHA1
1ddd1757ef6be65c231dc383369b84773544a6da

SHA256
344b8c7c7c4467f18c9b43447efafad8ac795c25b006465aeb1bd6097b50abb7

SHA512
a6ebf3d3ffa5c749f2ea2dc5eb90a7a355b8dcc1cf5b7b48cfdbc291b8f5f6df560ffcd59a6242583e64d0795ba034ad7aea2b68039b98b9b50259305e13e1c9

Download Submit