vjw0rm | 878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

General

Target

QuotePRNoPR0078966js.js
Size

2.7MB
MD5

11787e302194face53158981dd1287ad
SHA1

db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2
SHA256

878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031
SHA512

62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203
SSDEEP

24576:ZvCtCaKHazWgAjNbQtkYzN/Z1KsftoAhSAJxjHy9TYbiYY5HXH3Fx0X7HGqLGaTl:mBt

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://79.110.49.161:2050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
6	268	wscript.exe
9	112	wscript.exe
10	688	wscript.exe
14	688	wscript.exe
17	268	wscript.exe
19	112	wscript.exe
22	688	wscript.exe
23	268	wscript.exe
25	112	wscript.exe
27	688	wscript.exe
29	688	wscript.exe
34	688	wscript.exe
36	268	wscript.exe
38	112	wscript.exe
39	688	wscript.exe
41	688	wscript.exe
44	688	wscript.exe
46	688	wscript.exe
49	688	wscript.exe
52	268	wscript.exe
54	112	wscript.exe
55	688	wscript.exe
57	688	wscript.exe
60	688	wscript.exe
62	688	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	60	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	27	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	49	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	55	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	39	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	41	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	57	WSHRAT\|6C1590D1\|MSOKFDFP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/6/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 268	1456	wscript.exe	28
PID 1456 wrote to memory of 268	1456	wscript.exe	28
PID 1456 wrote to memory of 268	1456	wscript.exe	28
PID 1456 wrote to memory of 688	1456	wscript.exe	29
PID 1456 wrote to memory of 688	1456	wscript.exe	29
PID 1456 wrote to memory of 688	1456	wscript.exe	29
PID 688 wrote to memory of 112	688	wscript.exe	31
PID 688 wrote to memory of 112	688	wscript.exe	31
PID 688 wrote to memory of 112	688	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\QuotePRNoPR0078966js.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:268
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QuotePRNoPR0078966js.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\QuotePRNoPR0078966js.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit

Analysis

Sharing