vjw0rm | 878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

General

Target

QuotePRNoPR0078966js.js
Size

2.7MB
MD5

11787e302194face53158981dd1287ad
SHA1

db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2
SHA256

878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031
SHA512

62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203
SSDEEP

24576:ZvCtCaKHazWgAjNbQtkYzN/Z1KsftoAhSAJxjHy9TYbiYY5HXH3Fx0X7HGqLGaTl:mBt

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://79.110.49.161:2050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
23	3444	wscript.exe
24	736	wscript.exe
25	3332	wscript.exe
29	736	wscript.exe
34	3444	wscript.exe
35	3332	wscript.exe
41	736	wscript.exe
42	3444	wscript.exe
43	3332	wscript.exe
48	736	wscript.exe
50	3444	wscript.exe
51	736	wscript.exe
52	3332	wscript.exe
53	736	wscript.exe
54	736	wscript.exe
55	736	wscript.exe
56	736	wscript.exe
57	736	wscript.exe
58	3444	wscript.exe
59	3332	wscript.exe
60	736	wscript.exe
61	736	wscript.exe
62	736	wscript.exe
63	736	wscript.exe
64	736	wscript.exe
65	3444	wscript.exe
66	3332	wscript.exe
67	736	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuotePRNoPR0078966js = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\QuotePRNoPR0078966js.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 13 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	51	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	53	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	54	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	55	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	56	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	57	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	61	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	67	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	48	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	60	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	62	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript
HTTP User-Agent header	63	WSHRAT\|3820C40F\|ESUSNIKR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 27/6/2023\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3444	844	wscript.exe	84
PID 844 wrote to memory of 3444	844	wscript.exe	84
PID 844 wrote to memory of 736	844	wscript.exe	85
PID 844 wrote to memory of 736	844	wscript.exe	85
PID 736 wrote to memory of 3332	736	wscript.exe	86
PID 736 wrote to memory of 3332	736	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\QuotePRNoPR0078966js.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3444
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QuotePRNoPR0078966js.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:3332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePRNoPR0078966js.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\QuotePRNoPR0078966js.js

Filesize
2.7MB

MD5
11787e302194face53158981dd1287ad

SHA1
db9f3e778c2a89ed5fbe974b9e0fbb01694dfad2

SHA256
878515aa4b2f6edb65201aa9946331781c71b1de80dccba2b16461336a2e2031

SHA512
62a6639cb6d7f579055cba4eaa7fd1d278fd8bfb14caeb6c2dd9010b84d0d6d0979eb1b6422567a6a3a1b1d3b16be67ff8f62b8c2fa99d44d89b5309010f1203

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit
C:\Users\Admin\AppData\Roaming\zmEJfNocrR.js

Filesize
346KB

MD5
29a711b8b45e7e8ab57ac7424fee77cd

SHA1
99298470119f153109036619a50e458438f59dd8

SHA256
4de15ac4e81f38b94b64ee12d54af2b411d459669202ba0b564c538bd6d23658

SHA512
ab7cd866cea5d61f7a71c94cb8c4cc59388a0199d1f3d7aebb1e419a7cbff5c3ef8ba9b983e910294860c2b1146cfe046ca2aab67eba309a03f2f76c5ddd1053

Download Submit

Analysis

Sharing