Analysis Overview
SHA256
c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350
Threat Level: Known bad
The file neworder.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-26 02:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-26 02:26
Reported
2023-09-26 02:28
Platform
win7-20230831-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C8E3CE58|XEBBURHY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 2796 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2436 wrote to memory of 2796 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2436 wrote to memory of 2796 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2436 wrote to memory of 2052 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2436 wrote to memory of 2052 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2436 wrote to memory of 2052 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2052 wrote to memory of 2856 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2052 wrote to memory of 2856 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2052 wrote to memory of 2856 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\neworder.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\neworder.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jemyy.theworkpc.com | udp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 8.8.8.8:53 | akinbo.ddns.net | udp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js
| MD5 | 596b02ecc4bc0964ab1a1852fa0a3aa7 |
| SHA1 | 87ada931135f1d66f3a63c653d6934556421d922 |
| SHA256 | 06375c4dce8d2215d5f4efcb7f9d4bc2154df82cb49f5b8ad2cde6b662880d2b |
| SHA512 | 5394a397e818eb8d9f2a6c2849a87201bc4a13314a7ae4381658421eb666023d225e29fdda57b999ecd49b0e445026e522f4be843994688fd415d308bc98c885 |
C:\Users\Admin\AppData\Roaming\neworder.js
| MD5 | cf54d832051744f8a17d8883bb0d7579 |
| SHA1 | 8996b0ea7579eefdc5b143d8e71e00fbabef2749 |
| SHA256 | c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350 |
| SHA512 | 9918d08bdbcec5213e30cc732dbd0705bcc3a7db08090ae8366a57c9cbbb87296861c75eafb6f239deba92711d7cbacd482f2a25dea0ef96545fe00ae0cb40b6 |
C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js
| MD5 | 596b02ecc4bc0964ab1a1852fa0a3aa7 |
| SHA1 | 87ada931135f1d66f3a63c653d6934556421d922 |
| SHA256 | 06375c4dce8d2215d5f4efcb7f9d4bc2154df82cb49f5b8ad2cde6b662880d2b |
| SHA512 | 5394a397e818eb8d9f2a6c2849a87201bc4a13314a7ae4381658421eb666023d225e29fdda57b999ecd49b0e445026e522f4be843994688fd415d308bc98c885 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js
| MD5 | cf54d832051744f8a17d8883bb0d7579 |
| SHA1 | 8996b0ea7579eefdc5b143d8e71e00fbabef2749 |
| SHA256 | c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350 |
| SHA512 | 9918d08bdbcec5213e30cc732dbd0705bcc3a7db08090ae8366a57c9cbbb87296861c75eafb6f239deba92711d7cbacd482f2a25dea0ef96545fe00ae0cb40b6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js
| MD5 | 596b02ecc4bc0964ab1a1852fa0a3aa7 |
| SHA1 | 87ada931135f1d66f3a63c653d6934556421d922 |
| SHA256 | 06375c4dce8d2215d5f4efcb7f9d4bc2154df82cb49f5b8ad2cde6b662880d2b |
| SHA512 | 5394a397e818eb8d9f2a6c2849a87201bc4a13314a7ae4381658421eb666023d225e29fdda57b999ecd49b0e445026e522f4be843994688fd415d308bc98c885 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js
| MD5 | cf54d832051744f8a17d8883bb0d7579 |
| SHA1 | 8996b0ea7579eefdc5b143d8e71e00fbabef2749 |
| SHA256 | c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350 |
| SHA512 | 9918d08bdbcec5213e30cc732dbd0705bcc3a7db08090ae8366a57c9cbbb87296861c75eafb6f239deba92711d7cbacd482f2a25dea0ef96545fe00ae0cb40b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-26 02:26
Reported
2023-09-26 02:28
Platform
win10v2004-20230915-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neworder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\neworder.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|E84DA272|SMIJWJMH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/9/2023|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 404 wrote to memory of 2336 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 404 wrote to memory of 2336 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 404 wrote to memory of 3988 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 404 wrote to memory of 3988 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3988 wrote to memory of 1296 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3988 wrote to memory of 1296 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\neworder.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\neworder.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jemyy.theworkpc.com | udp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 8.8.8.8:53 | akinbo.ddns.net | udp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 8.8.8.8:53 | 6.27.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| SE | 109.248.144.235:5401 | jemyy.theworkpc.com | tcp |
| US | 95.214.27.6:6380 | akinbo.ddns.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js
| MD5 | 596b02ecc4bc0964ab1a1852fa0a3aa7 |
| SHA1 | 87ada931135f1d66f3a63c653d6934556421d922 |
| SHA256 | 06375c4dce8d2215d5f4efcb7f9d4bc2154df82cb49f5b8ad2cde6b662880d2b |
| SHA512 | 5394a397e818eb8d9f2a6c2849a87201bc4a13314a7ae4381658421eb666023d225e29fdda57b999ecd49b0e445026e522f4be843994688fd415d308bc98c885 |
C:\Users\Admin\AppData\Roaming\neworder.js
| MD5 | cf54d832051744f8a17d8883bb0d7579 |
| SHA1 | 8996b0ea7579eefdc5b143d8e71e00fbabef2749 |
| SHA256 | c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350 |
| SHA512 | 9918d08bdbcec5213e30cc732dbd0705bcc3a7db08090ae8366a57c9cbbb87296861c75eafb6f239deba92711d7cbacd482f2a25dea0ef96545fe00ae0cb40b6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\OfYaEGuGdY.js
| MD5 | 596b02ecc4bc0964ab1a1852fa0a3aa7 |
| SHA1 | 87ada931135f1d66f3a63c653d6934556421d922 |
| SHA256 | 06375c4dce8d2215d5f4efcb7f9d4bc2154df82cb49f5b8ad2cde6b662880d2b |
| SHA512 | 5394a397e818eb8d9f2a6c2849a87201bc4a13314a7ae4381658421eb666023d225e29fdda57b999ecd49b0e445026e522f4be843994688fd415d308bc98c885 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfYaEGuGdY.js
| MD5 | 596b02ecc4bc0964ab1a1852fa0a3aa7 |
| SHA1 | 87ada931135f1d66f3a63c653d6934556421d922 |
| SHA256 | 06375c4dce8d2215d5f4efcb7f9d4bc2154df82cb49f5b8ad2cde6b662880d2b |
| SHA512 | 5394a397e818eb8d9f2a6c2849a87201bc4a13314a7ae4381658421eb666023d225e29fdda57b999ecd49b0e445026e522f4be843994688fd415d308bc98c885 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neworder.js
| MD5 | cf54d832051744f8a17d8883bb0d7579 |
| SHA1 | 8996b0ea7579eefdc5b143d8e71e00fbabef2749 |
| SHA256 | c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350 |
| SHA512 | 9918d08bdbcec5213e30cc732dbd0705bcc3a7db08090ae8366a57c9cbbb87296861c75eafb6f239deba92711d7cbacd482f2a25dea0ef96545fe00ae0cb40b6 |