Overview

overview

10

Static

static

TBA1610955.js

windows7_x64

10

TBA1610955.js

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-06-2021 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TBA1610955.js

  • Size

    9KB

  • MD5

    e3cb5fb484ec5e048872f59a9d48bcd3

  • SHA1

    ecd7f55a9050d3af0110e857a2133507108c8609

  • SHA256

    7437f9bdb9a271fc9fa6f4b165675e08d53c00e62a61e634c4ee34ed01b73b0a

  • SHA512

    c13e9a7434afcb4436b560f3f58dc2cdf2934f688cd39c0065429dd680375b575fce55fcf31c70d08b345f64d56dc5d7955caa2e831bc8ad0b4c62547beb0523

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 26 IoCs
  • Drops startup file 10 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Script User-Agent 21 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\TBA1610955.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\TBA1610955.js
      2⤵
      • Creates scheduled task(s)
      PID:1052
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\N3QEHAC7O1.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\N3QEHAC7O1.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1552
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SZI26OUTHY.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\SZI26OUTHY.js
        3⤵
        • Creates scheduled task(s)
        PID:432
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Z8A6DCIMF1.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Z8A6DCIMF1.js
        3⤵
        • Creates scheduled task(s)
        PID:1588
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JQ3BTIXVQ3.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JQ3BTIXVQ3.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\json[1].json
    MD5

    0c17abb0ed055fecf0c48bb6e46eb4eb

    SHA1

    a692730c8ec7353c31b94a888f359edb54aaa4c8

    SHA256

    f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

    SHA512

    645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JQ3BTIXVQ3.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\N3QEHAC7O1.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\SZI26OUTHY.js
    MD5

    1fcdabf0091e9b0c9688f3197749cc51

    SHA1

    758692234294f34d068477aef9b37389f9abb13b

    SHA256

    8676da33f9c52582e2759516dbd1d19e836edcc1132babf4839d81e6b3b08a07

    SHA512

    b484f33c7ea540c08e06d02742d925a4867af8b7046b028f81a4be53acc8290fcbd703704e3ae032cde449914acb5495244460749c9cf1fc08e1bbdc61233748

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Z8A6DCIMF1.js
    MD5

    1fcdabf0091e9b0c9688f3197749cc51

    SHA1

    758692234294f34d068477aef9b37389f9abb13b

    SHA256

    8676da33f9c52582e2759516dbd1d19e836edcc1132babf4839d81e6b3b08a07

    SHA512

    b484f33c7ea540c08e06d02742d925a4867af8b7046b028f81a4be53acc8290fcbd703704e3ae032cde449914acb5495244460749c9cf1fc08e1bbdc61233748

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JQ3BTIXVQ3.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JQ3BTIXVQ3.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N3QEHAC7O1.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • C:\Users\Admin\AppData\Roaming\N3QEHAC7O1.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • memory/432-67-0x0000000000000000-mapping.dmp
    Download
  • memory/556-73-0x0000000000000000-mapping.dmp
    Download
  • memory/652-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1052-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1356-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1552-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1588-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1596-68-0x0000000000000000-mapping.dmp
    Download