vjw0rm | 0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

Analysis

max time kernel
256s
max time network
303s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17-10-2023 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js
Size

1.9MB
MD5

f51aee23c560560ae8bddb813dbc69fc
SHA1

fc26a039ed4f48b957463d6dd20bc5c903337268
SHA256

0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1
SHA512

8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397
SSDEEP

12288:TCbvguAMWCPI7nreA07d7x3zqAEiQ3sm0YrYTdmEKGcrtHg2qTecw+z2Om:Qgu37tqAEiQcmGTrKG6t3qTRJm

Score

10^/10

vjw0rm wshrat trojan worm

Malware Config

Extracted

Family

wshrat

http://menge.duckdns.org:5670

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
8	2976	wscript.exe
9	2720	wscript.exe
10	2540	wscript.exe
15	2976	wscript.exe
16	2720	wscript.exe
18	2540	wscript.exe
19	2976	wscript.exe
22	2540	wscript.exe
24	2720	wscript.exe
28	2976	wscript.exe
29	2976	wscript.exe
32	2720	wscript.exe
33	2540	wscript.exe
35	2976	wscript.exe
37	2976	wscript.exe
39	2540	wscript.exe
41	2720	wscript.exe
43	2976	wscript.exe
44	2540	wscript.exe
46	2720	wscript.exe
48	2976	wscript.exe
52	2976	wscript.exe
54	2540	wscript.exe
56	2720	wscript.exe
58	2976	wscript.exe
60	2976	wscript.exe
62	2540	wscript.exe
64	2720	wscript.exe
65	2976	wscript.exe
67	2540	wscript.exe
69	2720	wscript.exe
72	2976	wscript.exe
74	2976	wscript.exe
77	2540	wscript.exe
79	2720	wscript.exe
80	2976	wscript.exe
82	2540	wscript.exe
84	2720	wscript.exe
86	2976	wscript.exe
87	2976	wscript.exe
90	2540	wscript.exe
92	2720	wscript.exe
95	2976	wscript.exe
97	2976	wscript.exe
99	2540	wscript.exe
101	2720	wscript.exe
102	2976	wscript.exe
105	2540	wscript.exe
107	2720	wscript.exe
108	2976	wscript.exe
110	2976	wscript.exe
112	2540	wscript.exe
114	2720	wscript.exe
118	2976	wscript.exe
120	2976	wscript.exe
122	2540	wscript.exe
124	2720	wscript.exe
126	2976	wscript.exe
127	2540	wscript.exe
129	2720	wscript.exe
131	2976	wscript.exe
133	2976	wscript.exe
135	2540	wscript.exe
136	2720	wscript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	58	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	65	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	95	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	110	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	48	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	74	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	102	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	29	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	87	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	131	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	43	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	80	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	15	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	35	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	97	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	133	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	52	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	60	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	108	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	118	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	126	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	19	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	37	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	86	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	120	WSHRAT\|28857F6B\|XOCYHKRS\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2720	2096	wscript.exe	27
PID 2096 wrote to memory of 2720	2096	wscript.exe	27
PID 2096 wrote to memory of 2720	2096	wscript.exe	27
PID 2096 wrote to memory of 2976	2096	wscript.exe	28
PID 2096 wrote to memory of 2976	2096	wscript.exe	28
PID 2096 wrote to memory of 2976	2096	wscript.exe	28
PID 2976 wrote to memory of 2540	2976	wscript.exe	29
PID 2976 wrote to memory of 2540	2976	wscript.exe	29
PID 2976 wrote to memory of 2540	2976	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2720
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js

Filesize
1.9MB

MD5
f51aee23c560560ae8bddb813dbc69fc

SHA1
fc26a039ed4f48b957463d6dd20bc5c903337268

SHA256
0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

SHA512
8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit