vjw0rm | 1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960

General

Target

1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js
Size

3.8MB
MD5

4c314b9d39669df27156747da107becc
SHA1

69b2083af009d92a0e358562e037422cb0f30d5e
SHA256

1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960
SHA512

30a6ae1aea3221ef5bb7f8f7193b8c5b13b37df690720eab3c7dc8c770a769bd97b7df597bafeb008755c7e6930f0dda7622805337daff77362e479bcc1ab19a
SSDEEP

49152:wnYqXWFGA7tDzPYDHZt7Ilht7iYR0a+CwUCIVPrROXv54DOC849xV2jXz2FOz:k

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://46.183.223.73:7000

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 52 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
12	3380	wscript.exe
26	2836	wscript.exe
27	3120	wscript.exe
36	3380	wscript.exe
42	3380	wscript.exe
51	3120	wscript.exe
52	2836	wscript.exe
61	3380	wscript.exe
70	3380	wscript.exe
71	3120	wscript.exe
72	2836	wscript.exe
74	3380	wscript.exe
90	3380	wscript.exe
98	2836	wscript.exe
99	3380	wscript.exe
100	3120	wscript.exe
126	3380	wscript.exe
133	3380	wscript.exe
139	2836	wscript.exe
144	3380	wscript.exe
145	3120	wscript.exe
154	3380	wscript.exe
161	3380	wscript.exe
168	3380	wscript.exe
171	3120	wscript.exe
181	2836	wscript.exe
187	3380	wscript.exe
196	3380	wscript.exe
201	2836	wscript.exe
203	3120	wscript.exe
206	3380	wscript.exe
216	3380	wscript.exe
219	2836	wscript.exe
221	3120	wscript.exe
225	3380	wscript.exe
243	3380	wscript.exe
262	3120	wscript.exe
263	3380	wscript.exe
264	2836	wscript.exe
274	3380	wscript.exe
280	3120	wscript.exe
283	3380	wscript.exe
286	2836	wscript.exe
290	3380	wscript.exe
292	3120	wscript.exe
295	3380	wscript.exe
298	2836	wscript.exe
301	3380	wscript.exe
310	3380	wscript.exe
313	2836	wscript.exe
315	3120	wscript.exe
324	3380	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrxtdWzuVD.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrxtdWzuVD.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrxtdWzuVD.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	99	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	187	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	216	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	263	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	283	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	42	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	61	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	243	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	74	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	168	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	206	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	225	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	274	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	290	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	144	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	196	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	70	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	90	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	301	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	12	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	36	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	126	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	133	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	154	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	161	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	295	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript
HTTP User-Agent header	310	WSHRAT\|4417DEC7\|SLVJLBBW\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/3/2024\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 3248 wrote to memory of 2836	3248	wscript.exe	wscript.exe
PID 3248 wrote to memory of 2836	3248	wscript.exe	wscript.exe
PID 3248 wrote to memory of 3380	3248	wscript.exe	wscript.exe
PID 3248 wrote to memory of 3380	3248	wscript.exe	wscript.exe
PID 3380 wrote to memory of 3120	3380	wscript.exe	wscript.exe
PID 3380 wrote to memory of 3120	3380	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KrxtdWzuVD.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2836

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KrxtdWzuVD.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960.js
Filesize
3.8MB

MD5
4c314b9d39669df27156747da107becc

SHA1
69b2083af009d92a0e358562e037422cb0f30d5e

SHA256
1dd3bb76323b4cef240b169318d78ba1a360574382fb2d9f42a1888fe3fc3960

SHA512
30a6ae1aea3221ef5bb7f8f7193b8c5b13b37df690720eab3c7dc8c770a769bd97b7df597bafeb008755c7e6930f0dda7622805337daff77362e479bcc1ab19a

Download Submit
C:\Users\Admin\AppData\Roaming\KrxtdWzuVD.js
Filesize
346KB

MD5
df23d63d03a3f3bbc346c661216a1443

SHA1
2d17a533f3e783d173de526a9841bb896980161f

SHA256
b6c75bec3bac9f66e932372b1646945b0277c45659fcd657f9c0a2f7da625088

SHA512
20574b586f3d78c96a05fe41c16be1e59acdb15f6dc0ba4037d1986769852e8bb1d08b32579fb41bbb71f68cc32170e128e96ee65f42b9dec3f1204ed9d7d662

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads