Overview

overview

10

Static

static

ef941e9a12...408.js

windows7_x64

10

ef941e9a12...408.js

windows10_x64

10

Analysis

  • max time kernel
    297s
  • max time network
    335s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03-08-2021 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef941e9a12dd57020e8c110e4978fb953b3d41f482f650184980318676fd0408.js

  • Size

    19KB

  • MD5

    136475f8c1a1c7f23d87ea255926df15

  • SHA1

    a2f0c5d389116df32e96c5e03210c370ea04da09

  • SHA256

    ef941e9a12dd57020e8c110e4978fb953b3d41f482f650184980318676fd0408

  • SHA512

    577ea90c902e95dd8ce1bf8227fad2439023d52733c57ccf3d1fe20e21c19b14529f1e23e75ef756b28c0c83d03c1a0a0e09ab5d04208a019647c15a2f5b070e

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ef941e9a12dd57020e8c110e4978fb953b3d41f482f650184980318676fd0408.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HDOoLbqFXE.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1980
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\ef941e9a12dd57020e8c110e4978fb953b3d41f482f650184980318676fd0408.js
      2⤵
      • Creates scheduled task(s)
      PID:692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\HDOoLbqFXE.js
    MD5

    ceeeec8799d66c2d6b0b63cf3fb7d639

    SHA1

    46126751e39598977890ddd9bfdff6249003e03e

    SHA256

    8f8adf65125e8492b2af0ad5953214880aabb6f8718a9bed0d3723507c360701

    SHA512

    fde12c110bbac932aad37e859ce43e2299def8555fe85e42155d34198fccf8038b459217b183ea223dadc6db7e715a14a7a743b7e85e6ae22844dc1a86f117e1

    Download Submit

  • memory/692-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1980-59-0x0000000000000000-mapping.dmp

    Download