vjw0rm | 878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

General

Target

Quote PR No PR0078966.js
Size

2.7MB
MD5

11787e302194face53158981dd1287ad
SHA1

db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2
SHA256

878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031
SHA512

62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203
SSDEEP

24576:ZvCtCaKHazWgAjNbQtkYzN/Z1KsftoAhSAJxjHy9TYbiYY5HXH3Fx0X7HGqLGaTl:mBt

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://79.110.49.161:2050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
11	3288	wscript.exe
12	4112	wscript.exe
13	2072	wscript.exe
15	4112	wscript.exe
22	3288	wscript.exe
25	2072	wscript.exe
29	4112	wscript.exe
30	3288	wscript.exe
31	2072	wscript.exe
34	4112	wscript.exe
35	3288	wscript.exe
36	2072	wscript.exe
38	4112	wscript.exe
40	4112	wscript.exe
41	3288	wscript.exe
42	2072	wscript.exe
43	4112	wscript.exe
44	4112	wscript.exe
45	4112	wscript.exe
46	4112	wscript.exe
47	4112	wscript.exe
48	3288	wscript.exe
49	2072	wscript.exe
50	4112	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote PR No PR0078966 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote PR No PR0078966.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	46	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	47	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	50	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	38	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	40	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	43	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	45	WSHRAT\|DC4FC4A6\|GAJYPACP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3288	1584	wscript.exe	84
PID 1584 wrote to memory of 3288	1584	wscript.exe	84
PID 1584 wrote to memory of 4112	1584	wscript.exe	85
PID 1584 wrote to memory of 4112	1584	wscript.exe	85
PID 4112 wrote to memory of 2072	4112	wscript.exe	86
PID 4112 wrote to memory of 2072	4112	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Quote PR No PR0078966.js"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3288
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quote PR No PR0078966.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote PR No PR0078966.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\Quote PR No PR0078966.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit

Analysis

Sharing