vjw0rm | 0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2023 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js
Size

1.9MB
MD5

f51aee23c560560ae8bddb813dbc69fc
SHA1

fc26a039ed4f48b957463d6dd20bc5c903337268
SHA256

0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1
SHA512

8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397
SSDEEP

12288:TCbvguAMWCPI7nreA07d7x3zqAEiQ3sm0YrYTdmEKGcrtHg2qTecw+z2Om:Qgu37tqAEiQcmGTrKG6t3qTRJm

Score

10^/10

vjw0rm wshrat trojan worm

Malware Config

Extracted

Family

wshrat

http://menge.duckdns.org:5670

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 60 IoCs

flow	pid	Process
9	3252	wscript.exe
10	1444	wscript.exe
11	1400	wscript.exe
13	1444	wscript.exe
23	1444	wscript.exe
24	3252	wscript.exe
25	1400	wscript.exe
26	1444	wscript.exe
27	1444	wscript.exe
28	3252	wscript.exe
29	1400	wscript.exe
30	1444	wscript.exe
31	1444	wscript.exe
40	3252	wscript.exe
41	1400	wscript.exe
47	1444	wscript.exe
48	1444	wscript.exe
51	3252	wscript.exe
52	1400	wscript.exe
57	1444	wscript.exe
58	1444	wscript.exe
59	3252	wscript.exe
60	1400	wscript.exe
61	1444	wscript.exe
62	3252	wscript.exe
63	1400	wscript.exe
64	1444	wscript.exe
66	1444	wscript.exe
70	3252	wscript.exe
71	1400	wscript.exe
72	1444	wscript.exe
73	1444	wscript.exe
74	1400	wscript.exe
75	3252	wscript.exe
76	1444	wscript.exe
77	1400	wscript.exe
78	3252	wscript.exe
79	1444	wscript.exe
81	1444	wscript.exe
82	1400	wscript.exe
83	3252	wscript.exe
84	1444	wscript.exe
85	1444	wscript.exe
86	1400	wscript.exe
87	3252	wscript.exe
88	1444	wscript.exe
89	1400	wscript.exe
90	3252	wscript.exe
91	1444	wscript.exe
92	1444	wscript.exe
97	1400	wscript.exe
98	3252	wscript.exe
99	1444	wscript.exe
100	1444	wscript.exe
101	1400	wscript.exe
102	3252	wscript.exe
103	1444	wscript.exe
104	1400	wscript.exe
105	3252	wscript.exe
106	1444	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	91	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	100	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	103	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	27	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	73	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	106	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	47	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	61	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	13	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	92	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	48	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	57	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	85	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	26	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	64	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	66	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	88	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	31	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	30	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	84	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	99	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	58	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	79	WSHRAT\|E24BB934\|BQNDLEKG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/10/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3252	4836	wscript.exe	83
PID 4836 wrote to memory of 3252	4836	wscript.exe	83
PID 4836 wrote to memory of 1444	4836	wscript.exe	84
PID 4836 wrote to memory of 1444	4836	wscript.exe	84
PID 1444 wrote to memory of 1400	1444	wscript.exe	86
PID 1444 wrote to memory of 1400	1444	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3252
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\New DHL Shipment Document Arrival Notice Shipping Documents Original BL, Invoice & Packing List.js

Filesize
1.9MB

MD5
f51aee23c560560ae8bddb813dbc69fc

SHA1
fc26a039ed4f48b957463d6dd20bc5c903337268

SHA256
0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

SHA512
8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit