Overview

overview

10

Static

static

a3b2ac28_i...3ix.js

windows7_x64

a3b2ac28_i...3ix.js

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-09-2021 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3b2ac28_icZisiD3ix.js

  • Size

    904KB

  • MD5

    a3b2ac28fb71d8461b6c90327fabb5a1

  • SHA1

    033bf48edff207df74d6b78410040f391750db8f

  • SHA256

    e33df6ad1c1f683b5fe7dd5edfe1d0f9e246ab41364b3f6ae297e717a5ff8026

  • SHA512

    4174fd12ac86611280ffb1c3afaffbeb1c888f7835747738dba38cce5c75093c6831bb509236839fb67931bc77f925575e418d89bf295e8265d0987b266efc89

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 18 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\a3b2ac28_icZisiD3ix.js
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1544
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\szkzjfx.txt"
      2⤵
        PID:2136
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2136 -s 352
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js
      MD5

      1ba75bca44a20a321cea4e496ce91a85

      SHA1

      5a14b44b498f56cbe7b248c537479c845ff465c6

      SHA256

      4035eee1e50075cfcaf233c8d0511dfeeeb01870b1a4baf4a43e9b37a03cc804

      SHA512

      2aaf2cafe8951a03e81d56eadb1d83516a9fc986d7ce6e8aa9a2704da1916feb900b42e271979cdfd0c8852ed2fa17c948a394d3e5977a47e2140fcb2d945481

      Download Submit
    • C:\Users\Admin\AppData\Roaming\szkzjfx.txt
      MD5

      57845a03f0630d3fbb9caa203e940935

      SHA1

      9c4bb48d46593af760ddb9aec6160e2f379e99f7

      SHA256

      85e1a1df9973a080afe6a11d338a36994732a40cf9f891ec7f2b69dc56aed19f

      SHA512

      7ede78b67b49d91d13ab3eb642874263899231d1c4fbb1fa5575f8c904f46fb32091986b9bd9f2824859f6e6748f112314e745f0ac858d08f3a3b9b152ee64e1

      Download Submit
    • memory/1544-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2136-116-0x0000000000000000-mapping.dmp
      Download