Overview

overview

10

Static

static

#P0081.js

windows7_x64

10

#P0081.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    31-08-2021 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #P0081.js

  • Size

    12KB

  • MD5

    f11cc55481ff89ec58a4deae47fbd05c

  • SHA1

    d777ebeae01c1ebe4b5167660d086142ddc8b886

  • SHA256

    154a7b5cc9e3c3f3d4721ebe993f88b7594efa3f2b3b1d61a23c8f6fae409f32

  • SHA512

    026ad8686b8073c8a3b219309d09b97b7372eec6b24be907897b36064917a2c9a925f25ef063020a9da005fe8048db861130d82bbc5c989fce65cd4aecfd9412

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 29 IoCs
  • Drops startup file 8 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\#P0081.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#P0081.js
      2⤵
      • Creates scheduled task(s)
      PID:684
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QYQO3A4HSV.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QYQO3A4HSV.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2276
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZM7G2H873M.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZM7G2H873M.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2176
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7GYRYL2WHW.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\7GYRYL2WHW.js
        3⤵
        • Creates scheduled task(s)
        PID:3952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\json[1].json
    MD5

    0c17abb0ed055fecf0c48bb6e46eb4eb

    SHA1

    a692730c8ec7353c31b94a888f359edb54aaa4c8

    SHA256

    f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

    SHA512

    645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7GYRYL2WHW.js
    MD5

    737ab81779d546b3ccc019569acb0269

    SHA1

    d746edccdfb5ba9f357ab6a6281c1c09c25b5912

    SHA256

    81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c

    SHA512

    961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\QYQO3A4HSV.js
    MD5

    89163b043aec880959009669fc474944

    SHA1

    3b7c55c3a4c6f4711d426dc27fb8a17e11af3de8

    SHA256

    45bfabe4a6881d0321bac8905924576300aa5e20d502840e9196f5ca5fcf8836

    SHA512

    eeb0074471e34becabb94c6ebcf3be3c31f47bbaba8dd9a38fef10c44af16cd08a5fc5bcbd970c1110ed53b409fa90b053e2987298ca0839fc0bed4ebbb654ae

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ZM7G2H873M.js
    MD5

    eeb113b12cde1c10b750e987d1377987

    SHA1

    ecc3ad2423c8a6fa71075755e17931845f9d526e

    SHA256

    8534f6deb0eb684d41427390e89265b176a4ca54a493b495e2ed3e2e96e24cf2

    SHA512

    70b8b89580599ff746f75367848ed46aa64d97077757d7d9c7479beecba36d1ac731b81d78b972f6d9218e39970b25950fedc6745aee84a006eee1f7c549e11c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYQO3A4HSV.js
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZM7G2H873M.js
    MD5

    74b40a0af45a27a9d0775e0258ff41ba

    SHA1

    4a03120a256f9887ebebf8a3206a7e4ecf58c527

    SHA256

    bf54ea19bcd7d7d9bbb15d642b6d3cc58d1498d7c5351500221883ae23dbe50a

    SHA512

    b717a57320f5ce37f48596a6807b2b3df23b971f0da0ff6f00596893db4e327a75c1a57f4a50c26fd0bc380a386cab37d84f6b8fd03458019b25b35614637e41

    Download Submit
  • C:\Users\Admin\AppData\Roaming\QYQO3A4HSV.js
    MD5

    89163b043aec880959009669fc474944

    SHA1

    3b7c55c3a4c6f4711d426dc27fb8a17e11af3de8

    SHA256

    45bfabe4a6881d0321bac8905924576300aa5e20d502840e9196f5ca5fcf8836

    SHA512

    eeb0074471e34becabb94c6ebcf3be3c31f47bbaba8dd9a38fef10c44af16cd08a5fc5bcbd970c1110ed53b409fa90b053e2987298ca0839fc0bed4ebbb654ae

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ZM7G2H873M.js
    MD5

    eeb113b12cde1c10b750e987d1377987

    SHA1

    ecc3ad2423c8a6fa71075755e17931845f9d526e

    SHA256

    8534f6deb0eb684d41427390e89265b176a4ca54a493b495e2ed3e2e96e24cf2

    SHA512

    70b8b89580599ff746f75367848ed46aa64d97077757d7d9c7479beecba36d1ac731b81d78b972f6d9218e39970b25950fedc6745aee84a006eee1f7c549e11c

    Download Submit
  • memory/684-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2176-122-0x0000000000000000-mapping.dmp
    Download
  • memory/2224-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2276-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2640-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2952-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3952-128-0x0000000000000000-mapping.dmp
    Download