Overview

overview

10

Static

static

Order234.js

windows7_x64

10

Order234.js

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    206s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    31-08-2021 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order234.js

  • Size

    32KB

  • MD5

    2921078ffa801cc6b1f03e43ecc21969

  • SHA1

    906058e1e1ce4d586426ae1ad70d971f3da83a17

  • SHA256

    4dcdeee1e442d12f58dd818e95c31f562d34546c4d61618f7e6322a8c2b5fa0e

  • SHA512

    92cf75cd46faf4b277145bb5a288aa766ba0154a26a7f2def79b33b758847df2a72d7adec103b358a7ef5b09d6a988327c70729903acef394faeea259d99fa35

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 47 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Order234.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:528
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\TN.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TN.vbs
    MD5

    67d1ef16a441f01f3cdb946fb37c338c

    SHA1

    85e95317dee6b010143ca8c4ae3e95f4423c8d2b

    SHA256

    504e732364e1c8430aa692b4a8bfc1b1e72f4fc1bcd478ba9a5f74627a0f409f

    SHA512

    f5efab36ce98a5473d2e5706751fdf13d29367b5b2b1c40d75ea2f7e687ec5bc0eee9caa3dcee25dafc81f3f84a58ba5be7ce9b8201ba0214945a1beb2e337e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.js
    MD5

    f44c78ecda070300932b3f777006e1b3

    SHA1

    fdd5655ded64f931fdabe8d66e2e95cfc49bdff8

    SHA256

    406662bc108dd5d3b21b23428e2e438696d92195cd08f149ea954eed4a1bc401

    SHA512

    6cfc61656929ca4a5182b3b086f9b5eefadcf6d5228a53bae8b16b432fd54b9b571213b064d792eaa07a8fb54253e78ec4feb1aabe4ee6b71642a139e08bc0d1

    Download Submit
  • memory/528-59-0x0000000000000000-mapping.dmp
    Download
  • memory/540-60-0x0000000000000000-mapping.dmp
    Download