vjw0rm | 7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

General

Target

Purchaseorder.js
Size

3.1MB
MD5

cd12101e3da7cfc1e15be51324d97f26
SHA1

3ef05de60568b30104e18a72b783c8e21fb83c01
SHA256

7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46
SHA512

fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1
SSDEEP

768:qQKDwkB5j+Dd3MLyi/vdvK8cuUzwJBO0enr8uYUlN8b6iLBJbr59RlwDh:x8wkDaDd3gyiVAz10+ouFkPr52d

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://akinbo.ddns.net:6350

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
4	1768	wscript.exe
8	2712	wscript.exe
10	2624	wscript.exe
16	2712	wscript.exe
17	1768	wscript.exe
18	2624	wscript.exe
20	2712	wscript.exe
23	2712	wscript.exe
25	2712	wscript.exe
29	2712	wscript.exe
30	1768	wscript.exe
32	2624	wscript.exe
34	2712	wscript.exe
39	2712	wscript.exe
41	1768	wscript.exe
42	2624	wscript.exe
44	2712	wscript.exe
46	2712	wscript.exe
49	2712	wscript.exe
52	1768	wscript.exe
53	2624	wscript.exe
56	2712	wscript.exe
58	1768	wscript.exe
59	2624	wscript.exe
61	2712	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	23	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	25	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	20	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	39	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript
HTTP User-Agent header	61	WSHRAT\|2C20920D\|KGPMNUDG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/9/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1768	2004	wscript.exe	28
PID 2004 wrote to memory of 1768	2004	wscript.exe	28
PID 2004 wrote to memory of 1768	2004	wscript.exe	28
PID 2004 wrote to memory of 2712	2004	wscript.exe	29
PID 2004 wrote to memory of 2712	2004	wscript.exe	29
PID 2004 wrote to memory of 2712	2004	wscript.exe	29
PID 2712 wrote to memory of 2624	2712	wscript.exe	31
PID 2712 wrote to memory of 2624	2712	wscript.exe	31
PID 2712 wrote to memory of 2624	2712	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchaseorder.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1768
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Purchaseorder.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js

Filesize
1.1MB

MD5
397495356e508277e1aa6e2f24cf43b4

SHA1
eac5ebb135efcf24988cfdf0c42e031630b701a4

SHA256
51e48daa54231a3f5b056882c66fad891cb81d2603a0845e0b44668d4533a3c3

SHA512
953f63373cc8d0c7122def46fa9a97124123b6cac95bcfdf2d783b2be91139a43c51f1936d1197de26b461768bc94fa69911851ff012a8d0f7a5d637b6461fa4

Download Submit
C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js

Filesize
1.1MB

MD5
397495356e508277e1aa6e2f24cf43b4

SHA1
eac5ebb135efcf24988cfdf0c42e031630b701a4

SHA256
51e48daa54231a3f5b056882c66fad891cb81d2603a0845e0b44668d4533a3c3

SHA512
953f63373cc8d0c7122def46fa9a97124123b6cac95bcfdf2d783b2be91139a43c51f1936d1197de26b461768bc94fa69911851ff012a8d0f7a5d637b6461fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js

Filesize
1.1MB

MD5
397495356e508277e1aa6e2f24cf43b4

SHA1
eac5ebb135efcf24988cfdf0c42e031630b701a4

SHA256
51e48daa54231a3f5b056882c66fad891cb81d2603a0845e0b44668d4533a3c3

SHA512
953f63373cc8d0c7122def46fa9a97124123b6cac95bcfdf2d783b2be91139a43c51f1936d1197de26b461768bc94fa69911851ff012a8d0f7a5d637b6461fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js

Filesize
3.1MB

MD5
cd12101e3da7cfc1e15be51324d97f26

SHA1
3ef05de60568b30104e18a72b783c8e21fb83c01

SHA256
7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

SHA512
fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js

Filesize
3.1MB

MD5
cd12101e3da7cfc1e15be51324d97f26

SHA1
3ef05de60568b30104e18a72b783c8e21fb83c01

SHA256
7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

SHA512
fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Purchaseorder.js

Filesize
3.1MB

MD5
cd12101e3da7cfc1e15be51324d97f26

SHA1
3ef05de60568b30104e18a72b783c8e21fb83c01

SHA256
7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

SHA512
fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads