Overview

overview

10

Static

static

#W0091.js

windows7_x64

10

#W0091.js

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    27-08-2021 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #W0091.js

  • Size

    12KB

  • MD5

    d9cf0592d6515534cb8efa5b63cfae5b

  • SHA1

    93764956ad2a38d3f70dde3ac0410b367bb8a92b

  • SHA256

    ecb06a64c672927554eeb66d6b0552a147e35eb85a30dadf28d4a2f92d8cb45d

  • SHA512

    e739a973e401bd3f96721a18fa1dbb5827e63365c4dacc46c7017adc0f6c93cc82b1c0d9fa71726b8e77b6fe1bdad4863d7ba2b4b71741fd001ce912557673f3

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 6 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\#W0091.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#W0091.js
      2⤵
      • Creates scheduled task(s)
      PID:1132
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Z23K20ZB7L.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Z23K20ZB7L.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1784
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RX7V5HA0F8.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\RX7V5HA0F8.js
        3⤵
        • Creates scheduled task(s)
        PID:820
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VMGOLB27GG.js"
      2⤵
        PID:1492

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RX7V5HA0F8.js
      MD5

      737ab81779d546b3ccc019569acb0269

      SHA1

      d746edccdfb5ba9f357ab6a6281c1c09c25b5912

      SHA256

      81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c

      SHA512

      961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\VMGOLB27GG.js
      MD5

      737ab81779d546b3ccc019569acb0269

      SHA1

      d746edccdfb5ba9f357ab6a6281c1c09c25b5912

      SHA256

      81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c

      SHA512

      961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Z23K20ZB7L.js
      MD5

      2471491441a6ab34e7647dca6014d354

      SHA1

      be879fe6e18938b59642490e53030f4d457d3f1a

      SHA256

      34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8

      SHA512

      7f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z23K20ZB7L.js
      MD5

      2471491441a6ab34e7647dca6014d354

      SHA1

      be879fe6e18938b59642490e53030f4d457d3f1a

      SHA256

      34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8

      SHA512

      7f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Z23K20ZB7L.js
      MD5

      2471491441a6ab34e7647dca6014d354

      SHA1

      be879fe6e18938b59642490e53030f4d457d3f1a

      SHA256

      34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8

      SHA512

      7f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb

      Download Submit
    • memory/584-61-0x0000000000000000-mapping.dmp
      Download
    • memory/820-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1028-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1492-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-63-0x0000000000000000-mapping.dmp
      Download