vjw0rm | 1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960

General

Target

Inquiry 006042099.js
Size

3.8MB
MD5

4c314b9d39669df27156747da107becc
SHA1

69b2083af009d92a0e358562e037422cb0f30d5e
SHA256

1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960
SHA512

30a6ae1aea3221ef5bb7f8f7193b8c5b13b37df690720eab3c7dc8c770a769bd97b7df597bafeb008755c7e6930f0dda7622805337daff77362e479bcc1ab19a
SSDEEP

49152:wnYqXWFGA7tDzPYDHZt7Ilht7iYR0a+CwUCIVPrROXv54DOC849xV2jXz2FOz:k

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://46.183.223.73:7000

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 35 IoCs

flow	pid	Process
4	1064	wscript.exe
7	2204	wscript.exe
9	3036	wscript.exe
11	2204	wscript.exe
12	2204	wscript.exe
16	2204	wscript.exe
19	2204	wscript.exe
20	1064	wscript.exe
22	3036	wscript.exe
24	2204	wscript.exe
26	2204	wscript.exe
29	2204	wscript.exe
31	2204	wscript.exe
35	2204	wscript.exe
36	1064	wscript.exe
38	3036	wscript.exe
39	2204	wscript.exe
41	2204	wscript.exe
48	2204	wscript.exe
49	1064	wscript.exe
51	2204	wscript.exe
53	3036	wscript.exe
54	2204	wscript.exe
58	2204	wscript.exe
59	2204	wscript.exe
62	2204	wscript.exe
65	2204	wscript.exe
67	1064	wscript.exe
69	3036	wscript.exe
71	2204	wscript.exe
76	2204	wscript.exe
77	1064	wscript.exe
79	3036	wscript.exe
80	2204	wscript.exe
83	2204	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrxtdWzuVD.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Inquiry 006042099.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrxtdWzuVD.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Inquiry 006042099.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrxtdWzuVD.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inquiry 006042099 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Inquiry 006042099.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inquiry 006042099 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Inquiry 006042099.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inquiry 006042099 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Inquiry 006042099.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inquiry 006042099 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Inquiry 006042099.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 21 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	51	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	59	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	11	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	39	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	41	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	54	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	58	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	16	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	29	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	31	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	48	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	62	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	80	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	12	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	26	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	24	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	35	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	65	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	76	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	7	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript
HTTP User-Agent header	19	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 11/3/2024\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1064	2016	wscript.exe	28
PID 2016 wrote to memory of 1064	2016	wscript.exe	28
PID 2016 wrote to memory of 1064	2016	wscript.exe	28
PID 2016 wrote to memory of 2204	2016	wscript.exe	29
PID 2016 wrote to memory of 2204	2016	wscript.exe	29
PID 2016 wrote to memory of 2204	2016	wscript.exe	29
PID 2204 wrote to memory of 3036	2204	wscript.exe	31
PID 2204 wrote to memory of 3036	2204	wscript.exe	31
PID 2204 wrote to memory of 3036	2204	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry 006042099.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KrxtdWzuVD.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1064
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Inquiry 006042099.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KrxtdWzuVD.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Inquiry 006042099.js

Filesize
3.8MB

MD5
4c314b9d39669df27156747da107becc

SHA1
69b2083af009d92a0e358562e037422cb0f30d5e

SHA256
1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960

SHA512
30a6ae1aea3221ef5bb7f8f7193b8c5b13b37df690720eab3c7dc8c770a769bd97b7df597bafeb008755c7e6930f0dda7622805337daff77362e479bcc1ab19a

Download Submit
C:\Users\Admin\AppData\Roaming\KrxtdWzuVD.js

Filesize
346KB

MD5
df23d63d03a3f3bbc346c661216a1443

SHA1
2d17a533f3e783d173de526a9841bb896980161f

SHA256
b6c75bec3bac9f66e932372b1646945b0277c45659fcd657f9c0a2f7da625088

SHA512
20574b586f3d78c96a05fe41c16be1e59acdb15f6dc0ba4037d1986769852e8bb1d08b32579fb41bbb71f68cc32170e128e96ee65f42b9dec3f1204ed9d7d662

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads