vjw0rm | 878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

General

Target

Quote PR No PR0078966.js
Size

2.7MB
MD5

11787e302194face53158981dd1287ad
SHA1

db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2
SHA256

878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031
SHA512

62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203
SSDEEP

24576:ZvCtCaKHazWgAjNbQtkYzN/Z1KsftoAhSAJxjHy9TYbiYY5HXH3Fx0X7HGqLGaTl:mBt

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://79.110.49.161:2050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
9	1804	wscript.exe
10	1396	wscript.exe
11	1984	wscript.exe
17	1984	wscript.exe
19	1804	wscript.exe
20	1396	wscript.exe
22	1984	wscript.exe
26	1396	wscript.exe
28	1804	wscript.exe
29	1984	wscript.exe
30	1984	wscript.exe
36	1984	wscript.exe
37	1396	wscript.exe
39	1804	wscript.exe
41	1984	wscript.exe
42	1984	wscript.exe
44	1984	wscript.exe
46	1984	wscript.exe
48	1984	wscript.exe
51	1396	wscript.exe
53	1804	wscript.exe
54	1984	wscript.exe
55	1984	wscript.exe
56	1984	wscript.exe
59	1984	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	48	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	54	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	55	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	36	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	41	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	30	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	42	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	56	WSHRAT\|54FCFBCC\|ZKKYSKKQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1804	1260	wscript.exe	28
PID 1260 wrote to memory of 1804	1260	wscript.exe	28
PID 1260 wrote to memory of 1804	1260	wscript.exe	28
PID 1260 wrote to memory of 1984	1260	wscript.exe	29
PID 1260 wrote to memory of 1984	1260	wscript.exe	29
PID 1260 wrote to memory of 1984	1260	wscript.exe	29
PID 1984 wrote to memory of 1396	1984	wscript.exe	31
PID 1984 wrote to memory of 1396	1984	wscript.exe	31
PID 1984 wrote to memory of 1396	1984	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Quote PR No PR0078966.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1804
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quote PR No PR0078966.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\Quote PR No PR0078966.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit

Analysis

Sharing