vjw0rm | ee4d4c17bf09054c1f23e7a41363a788c77e604b72360543a47c140b25e9e100

General

Target

Dhl Authorisation 0471.js
Size

2.7MB
MD5

eed1ebe93897be063de0e58e4727e202
SHA1

81d8a907c8b0c7aea595f19214588d14f8d34922
SHA256

ee4d4c17bf09054c1f23e7a41363a788c77e604b72360543a47c140b25e9e100
SHA512

be4395746b1b02af6262d65669c0d6df5228b84e960ee7c2f6dc30ef6aff8c49150235ab0bf1f2e4067a9236b0d95eeddb189c4ba368fb6d4ad2a11a5a9aaf19
SSDEEP

24576:nqCxdnXs0pApmfJL/SoAWQLE6/WXpVxzrO/J/HWVZBmqdYnV0tme/4lFOi51o39D:B

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://80.85.154.247:5053

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 34 IoCs

flow	pid	Process
9	1968	wscript.exe
10	1988	wscript.exe
11	1300	wscript.exe
12	1300	wscript.exe
14	1300	wscript.exe
17	1300	wscript.exe
21	1300	wscript.exe
23	1968	wscript.exe
25	1988	wscript.exe
27	1300	wscript.exe
29	1300	wscript.exe
31	1300	wscript.exe
33	1300	wscript.exe
37	1300	wscript.exe
39	1968	wscript.exe
40	1988	wscript.exe
42	1300	wscript.exe
44	1300	wscript.exe
47	1300	wscript.exe
49	1300	wscript.exe
54	1300	wscript.exe
57	1968	wscript.exe
59	1988	wscript.exe
60	1300	wscript.exe
62	1300	wscript.exe
64	1300	wscript.exe
67	1300	wscript.exe
70	1300	wscript.exe
72	1968	wscript.exe
73	1988	wscript.exe
76	1300	wscript.exe
78	1300	wscript.exe
80	1300	wscript.exe
82	1300	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lOtnWPJMDG.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dhl Authorisation 0471.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dhl Authorisation 0471.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lOtnWPJMDG.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lOtnWPJMDG.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dhl Authorisation 0471 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Dhl Authorisation 0471.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dhl Authorisation 0471 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Dhl Authorisation 0471.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dhl Authorisation 0471 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Dhl Authorisation 0471.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dhl Authorisation 0471 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Dhl Authorisation 0471.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	42	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	62	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	80	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	47	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	70	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	27	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	17	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	21	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	37	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	54	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	67	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	14	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	49	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	60	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	76	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	78	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	31	WSHRAT\|94AB1E66\|NNDGNFRP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1988	1948	wscript.exe	26
PID 1948 wrote to memory of 1988	1948	wscript.exe	26
PID 1948 wrote to memory of 1988	1948	wscript.exe	26
PID 1948 wrote to memory of 1300	1948	wscript.exe	27
PID 1948 wrote to memory of 1300	1948	wscript.exe	27
PID 1948 wrote to memory of 1300	1948	wscript.exe	27
PID 1300 wrote to memory of 1968	1300	wscript.exe	29
PID 1300 wrote to memory of 1968	1300	wscript.exe	29
PID 1300 wrote to memory of 1968	1300	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Dhl Authorisation 0471.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lOtnWPJMDG.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1988
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Dhl Authorisation 0471.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lOtnWPJMDG.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dhl Authorisation 0471.js

Filesize
2.7MB

MD5
eed1ebe93897be063de0e58e4727e202

SHA1
81d8a907c8b0c7aea595f19214588d14f8d34922

SHA256
ee4d4c17bf09054c1f23e7a41363a788c77e604b72360543a47c140b25e9e100

SHA512
be4395746b1b02af6262d65669c0d6df5228b84e960ee7c2f6dc30ef6aff8c49150235ab0bf1f2e4067a9236b0d95eeddb189c4ba368fb6d4ad2a11a5a9aaf19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dhl Authorisation 0471.js

Filesize
2.7MB

MD5
eed1ebe93897be063de0e58e4727e202

SHA1
81d8a907c8b0c7aea595f19214588d14f8d34922

SHA256
ee4d4c17bf09054c1f23e7a41363a788c77e604b72360543a47c140b25e9e100

SHA512
be4395746b1b02af6262d65669c0d6df5228b84e960ee7c2f6dc30ef6aff8c49150235ab0bf1f2e4067a9236b0d95eeddb189c4ba368fb6d4ad2a11a5a9aaf19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dhl Authorisation 0471.js

Filesize
2.7MB

MD5
eed1ebe93897be063de0e58e4727e202

SHA1
81d8a907c8b0c7aea595f19214588d14f8d34922

SHA256
ee4d4c17bf09054c1f23e7a41363a788c77e604b72360543a47c140b25e9e100

SHA512
be4395746b1b02af6262d65669c0d6df5228b84e960ee7c2f6dc30ef6aff8c49150235ab0bf1f2e4067a9236b0d95eeddb189c4ba368fb6d4ad2a11a5a9aaf19

Download Submit
C:\Users\Admin\AppData\Roaming\lOtnWPJMDG.js

Filesize
346KB

MD5
cf607336b51230f951c58662b5a1f5ce

SHA1
4415bc64be744d850ab85645b125794e85febff8

SHA256
b24957bc6b75d6b95b90e3dda12c8afe989a3a6b8e59dd418c0afc781267f202

SHA512
5520b012a1aa77b7a5b69d925e60ecab26e3ad83230ec5deea0254b26493bb1a1c9b9fc2aa8e786f21470fd0f5cde57473379b0edbeaf6e5d40a79ae7b7ffba5

Download Submit
C:\Users\Admin\AppData\Roaming\lOtnWPJMDG.js

Filesize
346KB

MD5
cf607336b51230f951c58662b5a1f5ce

SHA1
4415bc64be744d850ab85645b125794e85febff8

SHA256
b24957bc6b75d6b95b90e3dda12c8afe989a3a6b8e59dd418c0afc781267f202

SHA512
5520b012a1aa77b7a5b69d925e60ecab26e3ad83230ec5deea0254b26493bb1a1c9b9fc2aa8e786f21470fd0f5cde57473379b0edbeaf6e5d40a79ae7b7ffba5

Download Submit

Analysis

Sharing