vjw0rm | 6ac96e55099f4737d755e8caa4a03a4ad47faec1e7d133c3eb67c9a7057cd574

General

Target

34003198.pdf.js
Size

3.8MB
MD5

6812d6fba47adabb337563ca20fa84f8
SHA1

2ab5b312c71f2a60d53c16fad7690291ea6d5bb0
SHA256

6ac96e55099f4737d755e8caa4a03a4ad47faec1e7d133c3eb67c9a7057cd574
SHA512

63d595755ddb4f6b680fb41068f285fbfa6b87d508b7efe1c2f481e70722a2d08669f15b08e362e8db0fdbd85f84796d1f1dd48717c7bf6392055dbbedfeaeae
SSDEEP

49152:DVz6cMuHZupT2iUkP6qOyJdCt6x9loTDW6bK53j+ji48++M0fTW/JDy4TaERYUbB:V

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://jemyy.theworkpc.com:5401

Extracted

Family

wshrat

C2

http://94.156.71.108:1604

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 30 IoCs

flow	pid	Process
19	3808	wscript.exe
23	4408	wscript.exe
24	2380	wscript.exe
26	4408	wscript.exe
30	4408	wscript.exe
33	4408	wscript.exe
38	4408	wscript.exe
53	4408	wscript.exe
54	4408	wscript.exe
55	4408	wscript.exe
56	4408	wscript.exe
57	4408	wscript.exe
58	4408	wscript.exe
62	4408	wscript.exe
63	4408	wscript.exe
64	4408	wscript.exe
67	4408	wscript.exe
69	4408	wscript.exe
73	4408	wscript.exe
74	4408	wscript.exe
75	4408	wscript.exe
77	4408	wscript.exe
78	4408	wscript.exe
79	4408	wscript.exe
80	4408	wscript.exe
81	3808	wscript.exe
82	2380	wscript.exe
83	4408	wscript.exe
87	4408	wscript.exe
89	4408	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34003198 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\34003198.pdf.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34003198 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\34003198.pdf.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34003198 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\34003198.pdf.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34003198 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\34003198.pdf.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	78	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	83	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	23	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	26	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	30	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	58	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	79	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	80	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	77	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	33	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	38	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	54	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	62	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	64	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	67	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	74	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	69	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	55	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	56	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	63	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	87	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	53	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	57	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	73	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	75	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript
HTTP User-Agent header	89	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/4/2024\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3808	956	wscript.exe	91
PID 956 wrote to memory of 3808	956	wscript.exe	91
PID 956 wrote to memory of 4408	956	wscript.exe	92
PID 956 wrote to memory of 4408	956	wscript.exe	92
PID 4408 wrote to memory of 2380	4408	wscript.exe	94
PID 4408 wrote to memory of 2380	4408	wscript.exe	94

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\34003198.pdf.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bCdHGOcGLp.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3808
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\34003198.pdf.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bCdHGOcGLp.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\34003198.pdf.js

Filesize
448KB

MD5
14513be3daad3c93fc538bc5a0ee349d

SHA1
3d9a122d8c3bc780a4b416b6bd50a29e6ad5d396

SHA256
b3e52845d939dae815fd25b03d4537e9f163f58f554ab9f64de5e28a121b9997

SHA512
2110dbd4bb52c2820be2d86575977ff787358d515cc380973417778eb57045a2eb37a8e435cf4169f0fe7d5c739e4259307c90bcce198cb22171c5582a04d31d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js

Filesize
192KB

MD5
d80b734a5be837aa440f3280454c6f08

SHA1
073a70afb1f174f796311d089fe65c4528baa73b

SHA256
52ce4a7dd1be5adf4aac9eea15e1516f7c3d8da61a7dfbf578ea037b09a8c2ad

SHA512
ee58f44d5405f00ba6d7cffc224f9c7b594dd6a6b9bea6d478f765549fbd34a480c995d58711621491b9145e670d4752295b38a973366a57bd4d02830f8605aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js

Filesize
2.1MB

MD5
6f05c7ee362e2b1e1eab6494182bdc3b

SHA1
e1ad7f7f3c3275dc712a299a86ee21958249e7c0

SHA256
790e2317fd19222cdcc99b934113adce90a4d57599fe2df6a500d71ab7d033b6

SHA512
2beacebb5a9f82bfd9a0b992645ec167eb98b7af1e1627abc543dcb7253cecf6be30f391c5f19f3f63c4fb193c14a9a9503127bf37f0c9be9ff6104a2a088b95

Download Submit
C:\Users\Admin\AppData\Roaming\bCdHGOcGLp.js

Filesize
346KB

MD5
ef0b971ae6f0713ad41a7774539bb787

SHA1
30e622c882a4e44b193d36c1a81d78850fe70c00

SHA256
62563b71eed9b8356f69bf8ba95e4664d6f936e485975d19cb04e7f456495fd3

SHA512
d9308bb70542e0ea6f080f5a2eafc528dd037fefe3a4b83a29721b161212572db27e20fa0d08d03dac0ae1691dd0f7c40471ab03d886158305d12ba4f48d1dc2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads