Overview

overview

10

Static

static

4.js

windows7_x64

10

4.js

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    07-07-2021 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.js

  • Size

    9KB

  • MD5

    b5e34472d72474569a2332ce317f4cc1

  • SHA1

    209017707d1e40faa9ec527e2128ef25de4b76ce

  • SHA256

    99d7b67e0d011b22fe3e491445fe0a6dab5e6999d8f7fb99ec505d434255d712

  • SHA512

    2d18a8be9a19fa77336d950c18257039f4fe5165c354aae253efba0509c72a879a6ccbf3ec2275345deeed39d31227ae95ff7c56fa1583919e715ad6f5ba0094

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 5 IoCs
  • Drops startup file 6 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\4.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\4.js
      2⤵
      • Creates scheduled task(s)
      PID:1348
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js
        3⤵
        • Creates scheduled task(s)
        PID:1064
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XJYUPBHN6D.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XJYUPBHN6D.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js
    MD5

    1fcdabf0091e9b0c9688f3197749cc51

    SHA1

    758692234294f34d068477aef9b37389f9abb13b

    SHA256

    8676da33f9c52582e2759516dbd1d19e836edcc1132babf4839d81e6b3b08a07

    SHA512

    b484f33c7ea540c08e06d02742d925a4867af8b7046b028f81a4be53acc8290fcbd703704e3ae032cde449914acb5495244460749c9cf1fc08e1bbdc61233748

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\XJYUPBHN6D.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJYUPBHN6D.js
    MD5

    986ceec84affa9a0a26c7839d8b85d4e

    SHA1

    2e16b61f2e31f78596a6cf6a195b56cf1565de44

    SHA256

    940a421c5562c47d33f2387ae9224ab4c7053edc9ef4cb2edadf2335ad73ddc1

    SHA512

    fd34817a87163aa2112ee3c7590564a8e14c0ec7e0c29bd73ffd38907aaef53751ea6acbc73f2a79668a7716b25d4d30e9bf34647a800e75a8992c424a7dc0c6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\XJYUPBHN6D.js
    MD5

    6874d678e690727b4a78c048c4a52ce1

    SHA1

    b3da716221772dd30e68f38177295d6c8162d548

    SHA256

    b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58

    SHA512

    d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249

    Download Submit
  • memory/112-60-0x0000000000000000-mapping.dmp
    Download
  • memory/920-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1064-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1348-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-65-0x0000000000000000-mapping.dmp
    Download